firecrawl
Warn
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- External Downloads (MEDIUM): The skill documentation recommends installation via an untrusted GitHub repository (tumf/skills) and requires the firecrawl-py Python package, which does not originate from a trusted organization defined in the security policy.
- Indirect Prompt Injection (LOW): The toolkit is designed to ingest and process arbitrary data from external URLs, creating a surface for indirect prompt injection. 1. Ingestion points: Data is fetched from user-provided URLs in scrape.py, crawl.py, search.py, extract.py, and agent.py. 2. Boundary markers: No specific delimiters or safety warnings are added to the scraped content before it is returned to the agent. 3. Capability inventory: The skill allows the agent to read and process external web content, which could contain malicious instructions. 4. Sanitization: The scripts do not sanitize the fetched markdown or HTML content.
- Data Exposure & Exfiltration (LOW): The scripts communicate with firecrawl.dev, which is not on the whitelisted domains list, though this is the core intended purpose of the toolkit.
Audit Metadata