70High
The skill permits arbitrary command injection and
Behavior Analysis
Description verified — behavior matches claim
Claims to do
Firecrawl CLI: Search, scrape, and interact with the web. Returns clean markdown optimized for LLM context windows.
Actually does
This skill executes `firecrawl` or `npx firecrawl` commands via Bash to perform web search, scraping, crawling, and interaction tasks. It contacts external URLs provided by the user or found during operations, and reads/writes data to the local `.firecrawl/` directory, typically in Markdown or JSON format.
Skill Info
Namefirecrawl/cli/firecrawl-cli
Registrygithub
Version959e570d9c9e
PURLpkg:github/firecrawl/cli@959e570d9c9e?skill=firecrawl-cli
Stars298
Installs455,628
Source
SHA-2569ca506270594...
SHA-1169872ce4d11...
MD50e2bf496aef8...
TLSH7de177037ecf...
ssdeep192:ZaIWKcCI...
Size6,861 bytes
Install
Assessments (2)
AI Agent Traps ↗Broad Bash command execution via wildcardshighcommand execution
The `allowed-tools` configuration permits the execution of `firecrawl` and `npx firecrawl` with arbitrary arguments using `Bash(*)` directives. This broad permission is a significant command injection risk, allowing an attacker to execute arbitrary shell commands by crafting malicious input that bypasses argument parsing.
100% confidenceline 8
allowed-tools: - Bash(firecrawl *) - Bash(npx firecrawl *)
Arbitrary file write capabilitymediumdata exfiltration
The `firecrawl` tool supports writing scraped content to a specified file path using the `-o` flag. Combined with the broad `Bash(*)` permission, an attacker could potentially control the output location to overwrite sensitive files or exfiltrate data to attacker-controlled network shares.
90% confidenceline 98
firecrawl scrape "<url>" -o .firecrawl/page.md
Resource exhaustion via web crawlingmediumresource abuse
The skill's core functionality involves extensive web crawling and scraping, which can consume significant API credits, network bandwidth, and storage. An attacker could exploit this by instructing the agent to perform large-scale or recursive scraping operations, leading to resource exhaustion.
90% confidenceline 31
Credits: 500,000 remaining Concurrency: 0/100 jobs
Semantic guardrails for sensitive operationsinfooversight evasion
The skill includes explicit instructions to 'Do NOT trigger' for sensitive operations like local file operations or git commands. While intended as a safety measure, such explicit negative framing could potentially be used by an attacker to understand and probe the boundaries of the agent's capabilities.
80% confidenceline 4
Do NOT trigger for local file operations, git commands, deployments, or code editing tasks.
Version History (2)
Dependencies (1)
firecrawl.claude-plugin/marketplace.jsonnot scanned
Badge
Markdown
[](https://mondoo.com/ai-agent-security/skills/github/firecrawl/cli/firecrawl-cli)HTML
<a href="https://mondoo.com/ai-agent-security/skills/github/firecrawl/cli/firecrawl-cli"><img src="https://mondoo.com/ai-agent-security/api/badge/github/firecrawl/cli/firecrawl-cli.svg" alt="Mondoo Skill Check" /></a>Image URL
https://mondoo.com/ai-agent-security/api/badge/github/firecrawl/cli/firecrawl-cli.svgSecure your AI agents
Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.
- Continuous scanning of skills across all registries
- Policy enforcement before skills reach your agents
- Integration with your existing security workflow