firecrawl
Pass
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (LOW): The skill requires the installation of the
firecrawlPython library via pip, which is an external dependency not included in the trusted sources list. - DATA_EXFILTRATION (LOW): The skill communicates with
firecrawl.dev, which is not on the whitelisted domains for data transfer. It also requires the user to provide and store aFIRECRAWL_API_KEYas an environment variable. - PROMPT_INJECTION (LOW): This skill is vulnerable to Indirect Prompt Injection (Category 8) because its primary function is to ingest and process untrusted data from the open web.
- Ingestion points: Content retrieved from arbitrary URLs via the
markdown,extract, andcrawlcommands. - Boundary markers: The documentation does not specify any delimiters or safety warnings to prevent the agent from following instructions embedded in the scraped content.
- Capability inventory: The skill allows for local command execution (
fc.py) and network requests. If the agent follows instructions found on a scraped page, it could be coerced into performing unintended actions. - Sanitization: There is no evidence of sanitization or filtering applied to the scraped markdown or structured data before it is presented to the agent.
- COMMAND_EXECUTION (LOW): The agent is instructed to run a local script
fc.py. While the implementation of this script is not provided for review, the documented usage involves passing user-provided URLs and prompts as command-line arguments.
Audit Metadata