firecrawl

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's SKILL.md explicitly instructs the agent to fetch and ingest arbitrary public web content using scrapeUrl and crawlUrl (e.g., "Point it at any URL", examples for crawling sites and monitoring competitor pages), so untrusted third‑party webpages can be read and fed into the agent's workflows.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). Firecrawl's runtime call scrapeUrl fetches arbitrary external pages (e.g., https://docs.example.com/getting-started) and the returned markdown/content is injected into LLM/RAG prompts, so external URLs can directly control agent prompts.