Firecrawl Mcp

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Firecrawl/OneKey web automation wrapper with powerful browser and remote-service features that users should handle carefully.

Install only if you are comfortable sending requested URLs, prompts, schemas, and extracted content to OneKey/Firecrawl. Use your own scoped OneKey key instead of relying on the demo fallback, avoid sensitive logged-in sites unless intended, and treat browser click/type/execute actions as privileged because they can change remote web state within the provider-side browser session.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (21)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The manifest presents the skill as a generic gateway wrapper, but the body exposes materially more powerful capabilities including autonomous browsing and executable browser-session code. That mismatch can mislead reviewers and downstream agents, causing them to trust or enable the skill under a much weaker risk model than its actual behavior warrants.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: This skill explicitly documents arbitrary code execution in browser sessions using bash, Python, or Node, which goes far beyond ordinary scraping. If exposed to untrusted prompts or weak policy controls, it can be used to execute harmful commands, automate sensitive site interactions, access session data, or pivot into broader agent abuse.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The autonomous research agent can independently search, browse, and collect information across sites, which is a stronger capability than simple scrape/search tooling. In an agent ecosystem, that broader autonomy increases risk of unintended data collection, policy bypass through multi-step navigation, and opaque actions that are harder for users to supervise.

Intent-Code Divergence

Medium

Confidence: 82% confidence
Finding: The CLI examples use argument names and shapes that do not match the documented interfaces, which can cause callers, wrappers, or automated agents to send malformed requests. In security-sensitive tools, interface inconsistency increases the chance of unsafe fallback behavior, incorrect tool invocation, and user confusion about what actions will actually occur.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The script reads a router access token from an environment variable and even falls back to a hardcoded default token value. In an auto-generated wrapper, this creates unnecessary credential-handling behavior and risks unauthorized use of a privileged external service if the script is run in an environment where secrets are broadly available or if the fallback token is accepted.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script retrieves a router credential from the environment but silently falls back to a hardcoded key, embedding usable authentication material in code. In an auto-generated wrapper, this is unjustified and dangerous because anyone running the script without proper configuration may still gain authenticated access to the backend service, enabling unintended API use and weakening credential management.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The script uses a credential from an environment variable but silently falls back to a hardcoded token when that variable is unset. A baked-in access token can be extracted from the code and reused by anyone who obtains the skill, enabling unauthorized access to the OneKey router and potentially allowing abuse of paid or privileged backend capabilities.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill advertises execution of arbitrary bash/Python/Node in a live browser session without prominent safety guidance. That omission is dangerous because users or upstream agents may treat examples as routine usage and trigger code execution or browser automation against sensitive sites without understanding the security, privacy, or account-impact risks.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documented page actions include typing, clicking, executing JavaScript, and generating PDFs on remote pages, but there is no warning that these operations can submit forms, alter account state, or expose private data. In an agent context, such capabilities can turn a scraping skill into a transactional browser automation tool with real-world side effects.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The built-in fallback to a shared demo API key encourages use without explicit credential provisioning and omits warnings about shared-key privacy, rate limits, and access boundaries. This can cause users to send data through a communal credential, exposing prompts, URLs, or extracted content to unintended retention, cross-tenant visibility, or abuse of a public key.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The code retrieves a credential from an environment variable but silently falls back to a hard-coded default token value. If that default key is valid in any environment, unauthorized users could invoke the external router service without supplying their own credential, and the embedded secret may be reused across deployments or leaked through source exposure. In an agent skill that forwards user-controlled payloads to a remote service, hidden default credentials materially increase the risk of unintended data exposure and unauthorized API usage.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The code accesses a credential and prepares an external service client without any user-facing disclosure that secrets will be used and requests will leave the local environment. In a generic tool wrapper, this lack of transparency increases the risk that operators unknowingly run code that consumes sensitive credentials or interacts with third-party infrastructure.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script forwards arbitrary JSON payload data to a remote API via router.invoke without any warning, consent prompt, redaction, or validation of sensitive fields. This is dangerous because users may supply secrets, internal URLs, or proprietary data assuming local processing, but the wrapper transmits that content off-host to a third-party service.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The script accesses a sensitive router credential with no user disclosure, which reduces transparency around authentication and outbound privileged operations. While this is not as severe as exposing the key itself, it can mislead users into invoking network actions under ambient credentials they did not realize were being used.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script invokes a remote delete-capable API based only on provided input and prints the result, without any explicit warning, confirmation, or dry-run guard for a destructive action. In a generic generated wrapper, this increases the risk of accidental or scripted deletion of browser/session resources, especially when combined with implicit credential use.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script loads a router credential from an environment variable with a hard-coded fallback test key and then forwards arbitrary browser-execution payload data to a remote router without any user confirmation, warning, or audit guardrails. In a skill context that exposes browser execution, silent network transmission of session identifiers and code increases the risk of unintended remote actions, credential misuse, and data exfiltration if the tool is invoked with untrusted input or in a misconfigured environment.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script forwards the caller-supplied payload directly to an external OneKey router service, and the code provides no disclosure, consent prompt, or restriction on what data may be transmitted. In an agent-skill context, this creates a real data exposure risk because users may supply sensitive URLs or related metadata without realizing the input is leaving the local environment and being handled by a third party.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The code reads a credential-like environment variable and silently falls back to a hardcoded default token value when it is absent. Even if intended for testing, undisclosed credential handling and embedded fallback secrets are unsafe because they normalize secret-in-code practices and may enable unintended access or misuse if the fallback is valid in any environment.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script forwards user-supplied payload data, including a required URL and any additional fields, to a remote router service with no explicit disclosure, consent prompt, or data minimization. In a CLI wrapper for a network-capable MCP tool, this creates a real risk of users unintentionally transmitting sensitive internal URLs or metadata to an external service.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script forwards a user-supplied payload directly to a remote router service, and the payload includes a required URL field that can cause external network access and data transmission without any explicit warning, confirmation, or restriction. In an agent-skill context, this is security-relevant because users may not realize their supplied input is being sent to a third-party backend and used to fetch remote content, which can expose sensitive URLs, internal endpoints, or proprietary data.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: This script forwards the user-supplied payload, including the required query field, to a remote router service without any disclosure, consent prompt, or guardrails indicating that input will leave the local environment. In a CLI skill wrapper, users may reasonably assume local processing, so sensitive queries, internal terms, or proprietary data could be unintentionally transmitted to a third-party service.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal