pp-firecrawl
Pass
Audited by Gen Agent Trust Hub on May 23, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the
firecrawl-pp-cliandfirecrawl-pp-mcpbinaries from the author's repository and NPM package scope. - Evidence:
npx -y @mvanhorn/printing-press install firecrawl --cli-only(SKILL.md) - Evidence:
go install github.com/mvanhorn/printing-press-library/library/developer-tools/firecrawl/cmd/firecrawl-pp-cli@latest(SKILL.md) - [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands to install dependencies and run the scraping CLI tool.
- Evidence: Numerous commands starting with
firecrawl-pp-clithroughout SKILL.md. - [DATA_EXFILTRATION]: The tool supports an output delivery feature that can POST data to a remote URL, which represents a potential data exfiltration capability.
- Evidence: Support for
webhook:<url>in the--deliverparameter (SKILL.md). - [PROMPT_INJECTION]: The skill facilitates the scraping and processing of external web content using LLMs, which introduces a surface for indirect prompt injection.
- Ingestion points: Scraped content retrieved from external URLs via
scrape,crawl,map, andextractcommands (SKILL.md). - Boundary markers: The instructions do not define delimiters or warnings to prevent the agent from following instructions embedded in the scraped data.
- Capability inventory: The agent has access to file writing (
file:<path>), command execution (firecrawl-pp-cli), and network POSTing (webhook:<url>). - Sanitization: No sanitization or validation of the retrieved web content is specified before it is processed by the agent.
Audit Metadata