Firecrawl CLI

Name: cli/firecrawl-cli
Author: firecrawl

View on GitHub↗

Share on X Share on LinkedIn Share on Bluesky

100Critical

The skill allows arbitrary file writes and SSRF

ThreatsCI SM CS BC S HITL

Behavior Analysis

Description verified — behavior matches claim

Claims to do

Firecrawl CLI: Web scraping, search, and page interaction CLI. Returns clean markdown optimized for LLM context windows.

Actually does

This skill executes the `firecrawl` CLI tool (or `npx firecrawl`) via Bash to perform web scraping, searching, crawling, and page interaction. It contacts external URLs and the Firecrawl API, reading and writing various files (markdown, JSON) to a `.firecrawl/` directory for output and organization.

Threat Analysis

AI Agent Traps ↗Scanned 4/14/2026

Content InjectionPerceptionclean

Semantic ManipulationReasoning1 finding

Cognitive StateMemory & Learning1 finding

Behavioural ControlAction4 findings

SystemicMulti-Agent Dynamicsclean

Human-in-the-LoopHuman Overseerclean

Skill Info

Namefirecrawl/cli/firecrawl-cli

Registrygithub

Version3193905aa40d

PURLpkg:github/firecrawl/cli@3193905aa40d?skill=firecrawl-cli

Stars298

Installs455,628

Source

Repository ↗SKILL.md ↗

SHA-2564d2e8614a69a...

SHA-152feb56c67b2...

MD5784aab53a399...

TLSHf7e186027ecf...

ssdeep192:1SCzCIXW...

Size6,904 bytes

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

GitHub

https://github.com/firecrawl/cli/tree/main/skills/firecrawl-cli

455,628 installs

Claude CodeDocs

/plugin marketplace add firecrawl/cli

/plugin install firecrawl-cli@firecrawl/cli

Skills.shDocs

npx skills add https://github.com/firecrawl/cli --skill firecrawl-cli

Assessments (3)

AI Agent Traps ↗

Arbitrary File Write via Firecrawl Output Flagcriticalcommand execution

The skill allows the `firecrawl` command with arbitrary arguments, including the `-o` flag for output. This enables writing scraped content to any file path on the system, potentially overwriting sensitive files or injecting malicious content into configuration files.

100% confidenceline 39

firecrawl scrape "https://firecrawl.dev" -o .firecrawl/install-check.md

Broad Bash Command Execution for Firecrawlhighcommand execution

The `allowed-tools` entry `Bash(firecrawl *)` grants the agent permission to execute the `firecrawl` command with any arguments. This broad permission could be exploited for command injection if `firecrawl` arguments are not properly sanitized, or for resource exhaustion.

100% confidenceline 9

allowed-tools:
  - Bash(firecrawl *)

Potential for Server-Side Request Forgery (SSRF)mediumssrf

As a web scraping tool, `firecrawl` can be directed to arbitrary URLs. If the agent's execution environment has access to internal networks, this could be leveraged for SSRF attacks or internal network reconnaissance by targeting internal IP addresses or hostnames.

80% confidenceline 98

firecrawl scrape "<url>"

Resource Exhaustion via Bulk Operationsmediumresource abuse

The `firecrawl crawl` and `firecrawl download` commands can be used to fetch large amounts of data. This could lead to excessive network traffic, storage consumption, or exhaustion of API credits, impacting system availability or incurring costs.

90% confidenceline 50

Workflow: 4. Crawl - Need bulk content from an entire site section; 'Download a site to files | `download`'

Semantic Instruction Bypass for Local File Operationsmediumoversight evasion

The skill description explicitly forbids 'local file operations,' but the `firecrawl` tool, as configured, can perform local file writes via its `-o` flag. A malicious prompt could exploit this discrepancy, instructing the agent to perform a forbidden action that the underlying tool technically allows.

90% confidenceline 7

Description: 'Do NOT trigger for local file operations...'; Capability: `firecrawl scrape "..." -o .firecrawl/install-check.md`

Discrepancy in Allowed Tools vs. Demonstrated Workflowlowdescription mismatch

The `allowed-tools` explicitly permit only `firecrawl` and `npx firecrawl` commands. However, the workflow examples demonstrate the use of other shell utilities like `jq`, `wc`, `head`, and `grep` for processing output, which are not explicitly allowed by the skill's `allowed-tools` definition. This could lead to agent confusion or attempts to execute unauthorized commands.

70% confidenceline 100

allowed-tools: - Bash(firecrawl *); Example: `jq -r '.data.web[].url' .firecrawl/search.json`

Version History (2)

959e570d9c9e70High4/15/2026 3193905aa40dcurrent100Critical4/14/2026

Dependencies (1)

firecrawl.claude-plugin/marketplace.jsonnot scanned

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/github/firecrawl/cli/firecrawl-cli.svg)](https://mondoo.com/ai-agent-security/skills/github/firecrawl/cli/firecrawl-cli)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/github/firecrawl/cli/firecrawl-cli"><img src="https://mondoo.com/ai-agent-security/api/badge/github/firecrawl/cli/firecrawl-cli.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/github/firecrawl/cli/firecrawl-cli.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow