Firecrawl: why it is not safe to use
Firecrawl passed our review (82/100); the caveats are inherent to web scraping: pages can carry injected instructions, and requests route through a hosted cloud API by default.
What we found
Firecrawl passed our review with a score of 82/100. It is open-source (AGPL-3.0 with MIT SDKs), widely used, and readable, with no hardcoded secrets, no obfuscated payloads, and no destructive commands. It reads only a user-supplied `FIRECRAWL_API_KEY` from the environment and does not touch keychains, cookies, or SSH keys.
Three points are worth noting, and all are inherent to web scraping rather than specific to this code. First, scraped pages are returned to the agent as content, so a malicious page could embed instructions the model might act on (prompt injection). Second, by default target URLs and page content are processed on Firecrawl's hosted API (firecrawl.dev) rather than on your machine. Third, the tool makes outbound requests to arbitrary user-specified sites, which is its intended function.
What to do instead
Use Firecrawl, but treat scraped content as untrusted input and avoid letting the agent act on instructions found inside pages. For sensitive or private targets, consider the self-hosted option so content is not sent to the cloud API, and scope your API key narrowly.
Source: https://github.com/firecrawl/firecrawl
We report what our security review found at the time we checked, with the goal of keeping people safe. Projects change; if a maintainer has since fixed this, we are glad to recheck it. Email hello@agentpod.com.