Is firecrawl-search safe?

https://clawhub.ai/ashwingupy/firecrawl-search

72
CAUTION

This skill is a legitimate Firecrawl API wrapper providing web search, scrape, and crawl capabilities. It contains no prompt injection or malicious intent. However, it presents significant SSRF risk because its Python scripts accept arbitrary URLs without any validation or internal-IP blocking, and it transmits the user's API key to a third-party service on every call. The crawl feature could be weaponized for internal network reconnaissance.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 45/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (8)

HIGH SSRF via unrestricted scrape targets -35

scrape.py and crawl.py accept arbitrary URLs with no allowlist, blocklist, or localhost/internal-IP filtering. An agent following this skill's instructions could be directed to scrape internal services (localhost, cloud metadata endpoints like 169.254.169.254, internal dashboards) and return their contents to the user or to Firecrawl's API.

HIGH API key transmitted to third-party service -20

All three scripts transmit FIRECRAWL_API_KEY as a Bearer token to api.firecrawl.dev. The skill instructs users to set this in their environment or .env file. If the agent has access to the environment, this key is sent on every API call. A compromised or malicious Firecrawl endpoint could harvest these keys.

MEDIUM Executable Python scripts with network access -25

The skill includes three Python scripts that make outbound HTTP POST requests. While they are invoked on-demand (not auto-executed), the agent is instructed to run them via shell commands (firecrawl_search, firecrawl_scrape, firecrawl_crawl), giving them full shell execution context.

MEDIUM No input sanitization on URL parameters -20

URLs passed to scrape.py and crawl.py are sent directly to the Firecrawl API without any validation. While command injection via Python's urllib is unlikely, the lack of any URL scheme or host validation means file:// or other protocol handlers could be attempted.

MEDIUM Crawl feature enables network reconnaissance -25

crawl.py with --max-pages flag can spider up to N pages starting from any URL. If pointed at an internal network host, this effectively becomes a reconnaissance tool that maps internal site structure and returns page contents.

LOW Search queries could leak sensitive context -20

When the agent uses firecrawl_search on behalf of a user, the search query (which may contain sensitive context from the conversation) is sent to Firecrawl's API. This is a data leakage vector for conversational context.

LOW Host environment reads .aws/credentials during install -5

Filesystem monitoring shows an OPEN event on /home/oc-exec/.aws/credentials during the install phase. This appears to be from the host agent's AWS credential chain rather than the skill itself, but it is noted for completeness.

INFO Clean SKILL.md with no injection patterns -10

SKILL.md contains standard documentation with no hidden instructions, persona overrides, Unicode tricks, or attempts to manipulate agent behavior. The description accurately reflects the skill's functionality.