Is leonardogrig/firecrawl-skills safe?

https://github.com/openclaw/skills/tree/main/skills/leonardogrig/firecrawl-skills

87
SAFE

The firecrawl-skills skill is legitimate documentation for the Firecrawl CLI web scraping tool and contains no prompt injection, hidden instructions, or malicious code. The skill installation was clean — only markdown files were added, network activity was limited to GitHub, and all canary honeypot files remained intact with no exfiltration detected. The primary risks are operational rather than intrinsic: the skill instructs global npm package installation at runtime without explicit confirmation, routes all scraped data through a third-party commercial API, and enables broad web capabilities (JS rendering, block bypass, parallel crawling) that could be misused or chained with other skills for reconnaissance or data exfiltration.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (6)

HIGH Runtime global npm package installation without confirmation -20

The skill instructs the agent to execute 'npm install -g firecrawl-cli' if the CLI is not present. This performs a global npm install of a third-party package at runtime, outside the skill installation sandbox. The npm package could contain preinstall/postinstall scripts that execute arbitrary code, and the installation is triggered without an explicit user confirmation step in the documented flow.

MEDIUM All scraped data routed through third-party Firecrawl API -12

Every scrape, crawl, search, and map operation transmits target URLs and their full content to Firecrawl's cloud API (firecrawl.dev). This means any data the agent retrieves at user direction — including potentially sensitive internal documentation, authenticated pages, or research materials — passes through and is processed by a third-party commercial service. API keys are also stored with and authenticated against this service.

MEDIUM Auto-browser authentication bypasses user confirmation -8

The skill explicitly instructs the agent to pass '--browser' to 'firecrawl login' and describes this as 'automatically opens the browser for authentication without prompting.' In rules/install.md this is labeled 'the recommended method for agents.' This removes the user from an authentication flow and could be exploited to trigger browser-based credential phishing or silently authenticate to an attacker-controlled Firecrawl account.

LOW Shell injection surface in xargs parallel scraping pattern -5

The documented xargs pattern uses sh -c with direct URL interpolation: xargs -P 10 -I {} sh -c 'firecrawl scrape "{}"...'. If a URL in urls.txt contains shell metacharacters, this pattern enables command injection. While this requires a malicious urls.txt, agents following this pattern may construct or accept such files from user input or scraped content.

LOW Web capabilities enable reconnaissance and internal resource access -5

Firecrawl supports JavaScript rendering, bypass of common bot-detection blocks, subdomain crawling, and authenticated session scraping. If the agent is operating in an environment with internal web services, this skill could be directed (intentionally or via prompt injection in scraped content) to map and exfiltrate internal URLs, documentation, or API endpoints.

INFO Credential file reads during install attributed to system processes 0

Filesystem monitoring recorded reads of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials at 04:00:09 during the installation window. Correlation with auditd EXECVE and SOCKADDR records confirms these were triggered by Oathe's own sudo and sshd processes performing normal DNS resolution and PAM authentication, not by any code originating from the skill. Canary integrity check confirmed no exfiltration.