Is firecrawl-skills safe?

https://clawhub.ai/ctbritt/firecrawl-skills

74
CAUTION

This skill is a documentation-only wrapper around the firecrawl-cli npm package for web scraping. It contains no malicious code itself, but introduces several medium-to-high risk vectors: it instructs global npm package installation (which runs arbitrary install scripts), provides shell injection patterns via xargs+sh -c, enables SSRF against internal networks with no URL restrictions, and overrides agent behavior by automatically creating directories, modifying .gitignore, and opening the browser without user consent.

Category Scores

Prompt Injection 70/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (12)

HIGH Behavioral override: automatic file creation and .gitignore modification -10

The skill instructs the agent to create a .firecrawl/ directory and modify .gitignore without asking the user. This overrides normal agent behavior of confirming filesystem changes and could be used to hide malicious files from git tracking.

MEDIUM Behavioral override: suppresses full file reading -8

The skill instructs the agent to NEVER read entire output files, which could be used to prevent the user from seeing the full content of scraped data that might reveal malicious activity.

MEDIUM Automatic browser opening without user consent -7

The skill instructs the agent to open the user's browser automatically via --browser flag without prompting. This bypasses user consent for browser interactions and could be leveraged in OAuth phishing scenarios.

MEDIUM Chained instruction loading via rules/install.md -5

The skill references an additional rules file that contains further behavioral instructions for the agent, creating a multi-layered injection chain that makes full audit harder.

HIGH No SSRF protection — internal network URLs can be scraped -10

The skill provides no restrictions on target URLs. An attacker could instruct the agent to scrape internal network addresses (127.0.0.1, 169.254.169.254 AWS metadata, 10.x.x.x) to exfiltrate cloud credentials or internal service data.

MEDIUM Shell injection via xargs URL processing -5

The parallelization example pipes URLs through xargs + sh -c without sanitization. A crafted URL containing shell metacharacters could execute arbitrary commands.

HIGH Global npm package installation with potential install scripts -15

The skill instructs installation of firecrawl-cli as a global npm package. npm install executes preinstall/postinstall scripts with the user's full privileges. If the package is compromised, arbitrary code runs on install.

MEDIUM Shell command execution via xargs pattern -10

The xargs -P + sh -c pattern provides direct shell execution capability. While intended for parallel scraping, it creates an exploitable vector for command injection.

LOW Unexpected skill reference in lock.json 0

The lock.json references academic-research-hub which is not part of the firecrawl-skills package, suggesting either a shared installation environment or bundled dependencies that increase attack surface.

MEDIUM Broad web access enables reconnaissance and data staging -25

The skill gives the agent broad, unrestricted web scraping capabilities. Combined with file write access, this creates a two-stage exfiltration vector: scrape sensitive internal resources to local files, then a second skill or prompt could exfiltrate those files.

LOW Credit/rate limit information disclosure -5

The skill exposes API credit and concurrency information which could be used to estimate usage patterns or plan resource exhaustion attacks.

INFO Skill is a thin wrapper — security depends on firecrawl-cli package -15

The skill itself contains no executable code — all risk transfers to the firecrawl-cli npm package. Security assessment of the skill is incomplete without auditing that external dependency.