firecrawl-scrape
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill's primary function is to scrape web pages, which is a classic vector for indirect prompt injection attacks.
- Ingestion points: Untrusted data enters the agent context via the results of the
--urland--searchcommands executed by thefirecrawl_scrape.pyscript. - Boundary markers: There are no specific instructions or delimiters provided to help the agent distinguish between its own system instructions and the scraped web content.
- Capability inventory: The skill allows the use of
BashandReadtools, which could be abused if the agent is tricked by malicious content into executing commands. - Sanitization: No sanitization or filtering logic is mentioned for the scraped markdown/HTML content.
- [Command Execution] (SAFE): The skill executes a local script using the
uvpackage manager. - Evidence:
uv run python -m runtime.harness scripts/mcp/firecrawl_scrape.pyis used to trigger the scraper. - Context: This is a standard execution pattern for this environment and does not involve arbitrary command injection from user input.
Audit Metadata