We checked this and rejected itprivacy

Firecrawl: why it is not safe to use

Firecrawl passed our review (82/100); the caveats are inherent to web scraping: pages can carry injected instructions, and requests route through a hosted cloud API by default.

What we found

Firecrawl passed our review with a score of 82/100. It is open-source (AGPL-3.0 with MIT SDKs), widely used, and readable, with no hardcoded secrets, no obfuscated payloads, and no destructive commands. It reads only a user-supplied `FIRECRAWL_API_KEY` from the environment and does not touch keychains, cookies, or SSH keys.

Three points are worth noting, and all are inherent to web scraping rather than specific to this code. First, scraped pages are returned to the agent as content, so a malicious page could embed instructions the model might act on (prompt injection). Second, by default target URLs and page content are processed on Firecrawl's hosted API (firecrawl.dev) rather than on your machine. Third, the tool makes outbound requests to arbitrary user-specified sites, which is its intended function.

What to do instead

Use Firecrawl, but treat scraped content as untrusted input and avoid letting the agent act on instructions found inside pages. For sensitive or private targets, consider the self-hosted option so content is not sent to the cloud API, and scope your API key narrowly.

Want the same outcome, safely? Use our checked skill instead.

Source: https://github.com/firecrawl/firecrawl

We report what our security review found at the time we checked, with the goal of keeping people safe. Projects change; if a maintainer has since fixed this, we are glad to recheck it. Email hello@agentpod.com.

Copied to clipboard. Paste it into your AI (ChatGPT, Claude, or your agent) to add the skill.