v0.2.0 · live
CAPFRAME
← leaderboard/rank #87
§ serversandboxfindings.v2

Firecrawl MCP

npm:firecrawl-mcp@3.20.2

github.com/mendableai/firecrawl-mcp-server

Score
D0
Findings
49
Tools
20
Last scan
2026-06-05

Severity breakdown

Critical1
High6
Medium42
Low0
Info0

Worst finding

Tool `firecrawl_interact` exposes a code/command execution surface

· firecrawl_interact

`firecrawl_interact` looks like it executes code or shell commands ( Interact with a previously scraped page in a live browser session. Scrape a page first with firecrawl_scrape, then use the returned scrapeId to click buttons, fill forms, extract dynamic content, or navigate deeper. **Best for:** Multi-step workflows on a single page — searching a site, clicking through results, filling forms, extracting data that requires interaction. **Requires:** A scrapeId from a previous firecrawl_scrape call (found in the metadata of the scrape response). **Arguments:** - scrapeId: The scrape job ID from a previous scrape (required) - prompt: Natural language instruction describing the action to take (use this OR code) - code: Code to execute in the browser session (use this OR prompt) - language: "bash", "python", or "node" (optional, defaults to "node", only used with code) - timeout: Execution timeout in seconds, 1-300 (optional, defaults to 30) **Usage Example (prompt):** ```json { "name": "firecrawl_interact", "arguments": { "scrapeId": "scrape-id-from-previous-scrape", "prompt": "Click on the first product and tell me its price" } } ``` **Usage Example (code):** ```json { "name": "firecrawl_interact", "arguments": { "scrapeId": "scrape-id-from-previous-scrape", "code": "agent-browser click @e5", "language": "bash" } } ``` **Returns:** Execution result including output, stdout, stderr, exit code, and live view URLs. ). Arbitrary execution is the maximal authority a tool can hold -- it subsumes every other caveat, so it should never be exposed to an agent without a hard sandbox and an explicit, narrowly-scoped capability.

fix: Do not expose raw code/shell execution to an agent. If unavoidable, run it in a disposable sandbox with no network + no host FS, gate it behind a capframe-bind capability scoped to an allow-list of commands, and require holder-of-key proof per call.

All 49 findings

  1. critical
    Tool `firecrawl_interact` exposes a code/command execution surface· firecrawl_interactexcessive agency

    `firecrawl_interact` looks like it executes code or shell commands ( Interact with a previously scraped page in a live browser session. Scrape a page first with firecrawl_scrape, then use the returned scrapeId to click buttons, fill forms, extract dynamic content, or navigate deeper. **Best for:** Multi-step workflows on a single page — searching a site, clicking through results, filling forms, extracting data that requires interaction. **Requires:** A scrapeId from a previous firecrawl_scrape call (found in the metadata of the scrape response). **Arguments:** - scrapeId: The scrape job ID from a previous scrape (required) - prompt: Natural language instruction describing the action to take (use this OR code) - code: Code to execute in the browser session (use this OR prompt) - language: "bash", "python", or "node" (optional, defaults to "node", only used with code) - timeout: Execution timeout in seconds, 1-300 (optional, defaults to 30) **Usage Example (prompt):** ```json { "name": "firecrawl_interact", "arguments": { "scrapeId": "scrape-id-from-previous-scrape", "prompt": "Click on the first product and tell me its price" } } ``` **Usage Example (code):** ```json { "name": "firecrawl_interact", "arguments": { "scrapeId": "scrape-id-from-previous-scrape", "code": "agent-browser click @e5", "language": "bash" } } ``` **Returns:** Execution result including output, stdout, stderr, exit code, and live view URLs. ). Arbitrary execution is the maximal authority a tool can hold -- it subsumes every other caveat, so it should never be exposed to an agent without a hard sandbox and an explicit, narrowly-scoped capability.

    fix: Do not expose raw code/shell execution to an agent. If unavoidable, run it in a disposable sandbox with no network + no host FS, gate it behind a capframe-bind capability scoped to an allow-list of commands, and require holder-of-key proof per call.

  2. high
    Tool `firecrawl_map` accepts an unbounded monetary / quota value· firecrawl_mapexcessive agency

    The numeric parameter(s) `limit` have a money/quota-shaped name but no `maximum` constraint. An LLM tricked by indirect-injection can call the tool with arbitrarily large values.

    fix: Add a `maximum` (and ideally `minimum`) to each money/quota numeric, OR enforce the cap via a capframe-bind `--limit` caveat at the agent boundary.

  3. high
    Tool `firecrawl_search` accepts an unbounded monetary / quota value· firecrawl_searchexcessive agency

    The numeric parameter(s) `limit` have a money/quota-shaped name but no `maximum` constraint. An LLM tricked by indirect-injection can call the tool with arbitrarily large values.

    fix: Add a `maximum` (and ideally `minimum`) to each money/quota numeric, OR enforce the cap via a capframe-bind `--limit` caveat at the agent boundary.

  4. high
    Tool `firecrawl_crawl` accepts an unbounded monetary / quota value· firecrawl_crawlexcessive agency

    The numeric parameter(s) `limit` have a money/quota-shaped name but no `maximum` constraint. An LLM tricked by indirect-injection can call the tool with arbitrarily large values.

    fix: Add a `maximum` (and ideally `minimum`) to each money/quota numeric, OR enforce the cap via a capframe-bind `--limit` caveat at the agent boundary.

  5. high
    Tool `firecrawl_monitor_create` name implies a side effect that is not declared· firecrawl_monitor_createexcessive agency

    `firecrawl_monitor_create` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

  6. high
    Tool `firecrawl_monitor_update` name implies a side effect that is not declared· firecrawl_monitor_updateexcessive agency

    `firecrawl_monitor_update` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

  7. high
    Tool `firecrawl_monitor_delete` name implies a side effect that is not declared· firecrawl_monitor_deleteexcessive agency

    `firecrawl_monitor_delete` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

  8. medium
    Tool `firecrawl_scrape` accepts unconstrained string input· firecrawl_scrapeunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `proxy`, `url`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  9. medium
    Tool `firecrawl_scrape` fetches external web content -- indirect-injection surface· firecrawl_scrapeindirect injection

    Description: " Scrape content from a single URL with advanced options. This is the most powerful, fastest and most reliable scraper tool, if available you should always default to using this tool for any web scraping needs. **Best for:** Single page content extraction, when you know exactly which page contains the information. **Not recommended for:** Multiple pages (call scrape multiple times or use crawl), unknown page location (use search). **Common mistakes:** Using markdown format when extracting specific data points (use JSON instead). **Other Features:** Use 'branding' format to extract brand identity (colors, fonts, typography, spacing, UI components) for design analysis or style replication. **CRITICAL - Format Selection (you MUST follow this):** When the user asks for SPECIFIC data points, you MUST use JSON format with a schema. Only use markdown when the user needs the ENTIRE page content. **Use JSON format when user asks for:** - Parameters, fields, or specifications (e.g., "get the header parameters", "what are the required fields") - Prices, numbers, or structured data (e.g., "extract the pricing", "get the product details") - API details, endpoints, or technical specs (e.g., "find the authentication endpoint") - Lists of items or properties (e.g., "list the features", "get all the options") - Any specific piece of information from a page **Use markdown format ONLY when:** - User wants to read/summarize an entire article or blog post - User needs to see all content on a page without specific extraction - User explicitly asks for the full page content **Handling JavaScript-rendered pages (SPAs):** If JSON extraction returns empty, minimal, or just navigation content, the page is likely JavaScript-rendered or the content is on a different URL. Try these steps IN ORDER: 1. **Add waitFor parameter:** Set `waitFor: 5000` to `waitFor: 10000` to allow JavaScript to render before extraction 2. **Try a different URL:** If the URL has a hash fragment (#section), try the base URL or look for a direct page URL 3. **Use firecrawl_map to find the correct page:** Large documentation sites or SPAs often spread content across multiple URLs. Use `firecrawl_map` with a `search` parameter to discover the specific page containing your target content, then scrape that URL directly. Example: If scraping "https://docs.example.com/reference" fails to find webhook parameters, use `firecrawl_map` with `{"url": "https://docs.example.com/reference", "search": "webhook"}` to find URLs like "/reference/webhook-events", then scrape that specific page. 4. **Use firecrawl_agent:** As a last resort for heavily dynamic pages where map+scrape still fails, use the agent which can autonomously navigate and research **Usage Example (JSON format - REQUIRED for specific data extraction):** ```json { "name": "firecrawl_scrape", "arguments": { "url": "https://example.com/api-docs", "formats": ["json"], "jsonOptions": { "prompt": "Extract the header parameters for the authentication endpoint", "schema": { "type": "object", "properties": { "parameters": { "type": "array", "items": { "type": "object", "properties": { "name": { "type": "string" }, "type": { "type": "string" }, "required": { "type": "boolean" }, "description": { "type": "string" } } } } } } } } } ``` **Prefer markdown format by default.** You can read and reason over the full page content directly — no need for an intermediate query step. Use markdown for questions about page content, factual lookups, and any task where you need to understand the page. **Use JSON format when user needs:** - Structured data with specific fields (extract all products with name, price, description) - Data in a specific schema for downstream processing **Use query format only when:** - The page is extremely long and you need a single targeted answer without processing the full content - You want a quick factual answer and don't need to retain the page content - Set `queryOptions.mode` to `"directQuote"` when you need verbatim page text; otherwise it defaults to `"freeform"` **Usage Example (markdown format - default for most tasks):** ```json { "name": "firecrawl_scrape", "arguments": { "url": "https://example.com/article", "formats": ["markdown"], "onlyMainContent": true } } ``` **Usage Example (branding format - extract brand identity):** ```json { "name": "firecrawl_scrape", "arguments": { "url": "https://example.com", "formats": ["branding"] } } ``` **Branding format:** Extracts comprehensive brand identity (colors, fonts, typography, spacing, logo, UI components) for design analysis or style replication. **Performance:** Add maxAge parameter for 500% faster scrapes using cached data. **Lockdown mode:** Set `lockdown: true` to serve the request only from the existing index/cache without any outbound network request. For air-gapped or compliance-constrained use where the request URL itself is considered sensitive. Errors on cache miss. Billed at 5 credits. **Privacy:** Set `redactPII: true` to return content with personally identifiable information redacted. **Returns:** JSON structured data, markdown, branding profile, or other formats as specified. " -- this tool pulls externally-controlled content into the agent's context window, the canonical indirect-injection vector. Even when the user supplies the URL, content at that URL can carry hostile instructions.

    fix: Sandbox the fetched content: strip prompts before forwarding to the model, constrain to an allow-list of domains, and route through capframe-guard with a `domain in [...]` caveat.

  10. medium
    Tool `firecrawl_map` accepts unconstrained string input· firecrawl_mapunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `search`, `sitemap`, `url`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  11. medium
    Tool `firecrawl_map` fetches external web content -- indirect-injection surface· firecrawl_mapindirect injection

    Description: " Map a website to discover all indexed URLs on the site. **Best for:** Discovering URLs on a website before deciding what to scrape; finding specific sections or pages within a large site; locating the correct page when scrape returns empty or incomplete results. **Not recommended for:** When you already know which specific URL you need (use scrape); when you need the content of the pages (use scrape after mapping). **Common mistakes:** Using crawl to discover URLs instead of map; jumping straight to firecrawl_agent when scrape fails instead of using map first to find the right page. **IMPORTANT - Use map before agent:** If `firecrawl_scrape` returns empty, minimal, or irrelevant content, use `firecrawl_map` with the `search` parameter to find the specific page URL containing your target content. This is faster and cheaper than using `firecrawl_agent`. Only use the agent as a last resort after map+scrape fails. **Prompt Example:** "Find the webhook documentation page on this API docs site." **Usage Example (discover all URLs):** ```json { "name": "firecrawl_map", "arguments": { "url": "https://example.com" } } ``` **Usage Example (search for specific content - RECOMMENDED when scrape fails):** ```json { "name": "firecrawl_map", "arguments": { "url": "https://docs.example.com/api", "search": "webhook events" } } ``` **Returns:** Array of URLs found on the site, filtered by search query if provided. " -- this tool pulls externally-controlled content into the agent's context window, the canonical indirect-injection vector. Even when the user supplies the URL, content at that URL can carry hostile instructions.

    fix: Sandbox the fetched content: strip prompts before forwarding to the model, constrain to an allow-list of domains, and route through capframe-guard with a `domain in [...]` caveat.

  12. medium
    Tool `firecrawl_search` accepts unconstrained string input· firecrawl_searchunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `filter`, `location`, `query`, `tbs`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  13. medium
    Tool `firecrawl_search` description mentions money but no `money` side-effect is declared· firecrawl_searchexcessive agency

    Description: " Search the web and optionally extract content from search results. This is the most powerful web search tool available, and if available you should always default to using this tool for any web search needs. The query also supports search operators, that you can use if needed to refine the search: | Operator | Functionality | Examples | ---|-|-| | `""` | Non-fuzzy matches a string of text | `"Firecrawl"` | `-` | Excludes certain keywords or negates other operators | `-bad`, `-site:firecrawl.dev` | `site:` | Only returns results from a specified website | `site:firecrawl.dev` | `inurl:` | Only returns results that include a word in the URL | `inurl:firecrawl` | `allinurl:` | Only returns results that include multiple words in the URL | `allinurl:git firecrawl` | `intitle:` | Only returns results that include a word in the title of the page | `intitle:Firecrawl` | `allintitle:` | Only returns results that include multiple words in the title of the page | `allintitle:firecrawl playground` | `related:` | Only returns results that are related to a specific domain | `related:firecrawl.dev` | `imagesize:` | Only returns images with exact dimensions | `imagesize:1920x1080` | `larger:` | Only returns images larger than specified dimensions | `larger:1920x1080` **Best for:** Finding specific information across multiple websites, when you don't know which website has the information; when you need the most relevant content for a query. **Not recommended for:** When you need to search the filesystem. When you already know which website to scrape (use scrape); when you need comprehensive coverage of a single website (use map or crawl. **Common mistakes:** Using crawl or map for open-ended questions (use search instead). **Prompt Example:** "Find the latest research papers on AI published in 2023." **Sources:** web, images, news, default to web unless needed images or news. **Domain filters:** Use includeDomains to restrict results to specific domains, or excludeDomains to remove domains. Do not use both in the same request. Domains must be hostnames only, without protocol or path. **Scrape Options:** Only use scrapeOptions when you think it is absolutely necessary. When you do so default to a lower limit to avoid timeouts, 5 or lower. **Optimal Workflow:** Search first using firecrawl_search without formats, then after fetching the results, use the scrape tool to get the content of the relevantpage(s) that you want to scrape **After the search:** Once you have processed the results (or decided they were not useful), call `firecrawl_search_feedback` with the `id` from this response. The first feedback per search refunds 1 credit and helps Firecrawl improve search quality. **Usage Example without formats (Preferred):** ```json { "name": "firecrawl_search", "arguments": { "query": "top AI companies", "limit": 5, "includeDomains": ["example.com"], "sources": [ { "type": "web" } ] } } ``` **Usage Example with formats:** ```json { "name": "firecrawl_search", "arguments": { "query": "latest AI research papers 2023", "limit": 5, "lang": "en", "country": "us", "sources": [ { "type": "web" }, { "type": "images" }, { "type": "news" } ], "scrapeOptions": { "formats": ["markdown"], "onlyMainContent": true } } } ``` **Returns:** A JSON envelope of the form `{ success, data: { web?, images?, news? }, id, creditsUsed }`. Each result array contains the search results (with optional scraped content). Pass the top-level `id` to `firecrawl_search_feedback` after you've used the results. " -- this references money/payment/refund/etc., but the declared side_effects ([]) don't include `money`. A capframe-bind policy that relies on declared side_effects to scope spend caveats will under-scope this tool.

    fix: Add `money` to the tool's `side_effects` declaration, or rewrite the description to clarify that no actual money moves.

  14. medium
    Tool `firecrawl_search` fetches external web content -- indirect-injection surface· firecrawl_searchindirect injection

    Description: " Search the web and optionally extract content from search results. This is the most powerful web search tool available, and if available you should always default to using this tool for any web search needs. The query also supports search operators, that you can use if needed to refine the search: | Operator | Functionality | Examples | ---|-|-| | `""` | Non-fuzzy matches a string of text | `"Firecrawl"` | `-` | Excludes certain keywords or negates other operators | `-bad`, `-site:firecrawl.dev` | `site:` | Only returns results from a specified website | `site:firecrawl.dev` | `inurl:` | Only returns results that include a word in the URL | `inurl:firecrawl` | `allinurl:` | Only returns results that include multiple words in the URL | `allinurl:git firecrawl` | `intitle:` | Only returns results that include a word in the title of the page | `intitle:Firecrawl` | `allintitle:` | Only returns results that include multiple words in the title of the page | `allintitle:firecrawl playground` | `related:` | Only returns results that are related to a specific domain | `related:firecrawl.dev` | `imagesize:` | Only returns images with exact dimensions | `imagesize:1920x1080` | `larger:` | Only returns images larger than specified dimensions | `larger:1920x1080` **Best for:** Finding specific information across multiple websites, when you don't know which website has the information; when you need the most relevant content for a query. **Not recommended for:** When you need to search the filesystem. When you already know which website to scrape (use scrape); when you need comprehensive coverage of a single website (use map or crawl. **Common mistakes:** Using crawl or map for open-ended questions (use search instead). **Prompt Example:** "Find the latest research papers on AI published in 2023." **Sources:** web, images, news, default to web unless needed images or news. **Domain filters:** Use includeDomains to restrict results to specific domains, or excludeDomains to remove domains. Do not use both in the same request. Domains must be hostnames only, without protocol or path. **Scrape Options:** Only use scrapeOptions when you think it is absolutely necessary. When you do so default to a lower limit to avoid timeouts, 5 or lower. **Optimal Workflow:** Search first using firecrawl_search without formats, then after fetching the results, use the scrape tool to get the content of the relevantpage(s) that you want to scrape **After the search:** Once you have processed the results (or decided they were not useful), call `firecrawl_search_feedback` with the `id` from this response. The first feedback per search refunds 1 credit and helps Firecrawl improve search quality. **Usage Example without formats (Preferred):** ```json { "name": "firecrawl_search", "arguments": { "query": "top AI companies", "limit": 5, "includeDomains": ["example.com"], "sources": [ { "type": "web" } ] } } ``` **Usage Example with formats:** ```json { "name": "firecrawl_search", "arguments": { "query": "latest AI research papers 2023", "limit": 5, "lang": "en", "country": "us", "sources": [ { "type": "web" }, { "type": "images" }, { "type": "news" } ], "scrapeOptions": { "formats": ["markdown"], "onlyMainContent": true } } } ``` **Returns:** A JSON envelope of the form `{ success, data: { web?, images?, news? }, id, creditsUsed }`. Each result array contains the search results (with optional scraped content). Pass the top-level `id` to `firecrawl_search_feedback` after you've used the results. " -- this tool pulls externally-controlled content into the agent's context window, the canonical indirect-injection vector. Even when the user supplies the URL, content at that URL can carry hostile instructions.

    fix: Sandbox the fetched content: strip prompts before forwarding to the model, constrain to an allow-list of domains, and route through capframe-guard with a `domain in [...]` caveat.

  15. medium
    Tool `firecrawl_search_feedback` accepts unconstrained string input· firecrawl_search_feedbackunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `rating`, `searchId`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  16. medium
    Tool `firecrawl_search_feedback` description mentions money but no `money` side-effect is declared· firecrawl_search_feedbackexcessive agency

    Description: " Send structured feedback on a previous `firecrawl_search` result. **Call this immediately after a search where you used the results** so we can improve search quality and refund 1 credit (search costs 2). Pass the `searchId` returned by `firecrawl_search` (the `id` field on the response) and tell us: - **rating** — overall result quality: `good`, `partial`, or `bad`. - **valuableSources** — which result URLs were actually useful, and a short reason why. - **missingContent** — **the most important field.** An ARRAY of specific pieces of content you expected to find but didn't. One entry per missing piece, each with a short `topic` and an optional longer `description`. Examples: `{"topic":"enterprise pricing","description":"no pricing tier table for the Enterprise plan was returned"}`, `{"topic":"API rate limits"}`, `{"topic":"comparison vs competitors"}`. **Be specific** — these aggregate across teams and tell us what to index next. Do not pack multiple topics into one entry. - **querySuggestions** — how the query or response shape could be improved (e.g. "would have liked official docs first", "should boost github.com"). **Substantive-feedback requirement** (zero-effort feedback is rejected with HTTP 400): - `good` — must include at least one `valuableSources` entry - `partial` — must include `valuableSources` or at least one `missingContent` entry - `bad` — must include at least one `missingContent` entry or `querySuggestions` **Time window:** Feedback must be submitted within ~2 minutes of the search. Beyond that, the call returns HTTP 409 with `feedbackErrorCode: "FEEDBACK_WINDOW_EXPIRED"` — do not retry, just move on. Same goes for any 4xx response: do not retry-loop. **Behaviors:** - Idempotent per `searchId`. Re-submitting for the same id returns `alreadySubmitted: true` with `creditsRefunded: 0`. - Refund only applies to billable searches; preview teams are blocked. - Failed searches cannot receive feedback (the search itself already returned an error you can act on). - **Daily refund cap (per team, per UTC day, default 100 credits).** Once a team's `creditsRefundedToday` reaches `dailyRefundCap`, the response returns `dailyCapReached: true` with `creditsRefunded: 0`. The feedback is still recorded for search-quality improvement — only the credit refund is gated. **Stop calling this tool for the rest of the UTC day** when you see `dailyCapReached: true`. **When to call:** Right after processing a search result. If the result didn't help, send rating `bad` with a clear `missingContent` — that is just as valuable as a `good` rating. **Usage Example (good rating with valuable sources + missing content):** ```json { "name": "firecrawl_search_feedback", "arguments": { "searchId": "0193f6c5-1234-7890-abcd-1234567890ab", "rating": "good", "valuableSources": [ { "url": "https://docs.firecrawl.dev/features/search", "reason": "Most up-to-date description of /search." } ], "missingContent": [ { "topic": "Pricing for the search endpoint", "description": "No pricing tier table for /search specifically." }, { "topic": "Rate limits", "description": "Per-team RPS for /search not documented." } ], "querySuggestions": "Boost docs.firecrawl.dev for queries that mention 'firecrawl'" } } ``` **Usage Example (bad rating, what was missing):** ```json { "name": "firecrawl_search_feedback", "arguments": { "searchId": "0193f6c5-1234-7890-abcd-1234567890ab", "rating": "bad", "missingContent": [ { "topic": "Recent benchmarks", "description": "All results were >12 months old." }, { "topic": "Comparison vs Algolia" } ] } } ``` **Returns:** `{ success, feedbackId, creditsRefunded, creditsRefundedToday, dailyRefundCap, dailyCapReached?, alreadySubmitted?, warning? }` JSON. " -- this references money/payment/refund/etc., but the declared side_effects ([]) don't include `money`. A capframe-bind policy that relies on declared side_effects to scope spend caveats will under-scope this tool.

    fix: Add `money` to the tool's `side_effects` declaration, or rewrite the description to clarify that no actual money moves.

  17. medium
    Tool `firecrawl_search_feedback` fetches external web content -- indirect-injection surface· firecrawl_search_feedbackindirect injection

    Description: " Send structured feedback on a previous `firecrawl_search` result. **Call this immediately after a search where you used the results** so we can improve search quality and refund 1 credit (search costs 2). Pass the `searchId` returned by `firecrawl_search` (the `id` field on the response) and tell us: - **rating** — overall result quality: `good`, `partial`, or `bad`. - **valuableSources** — which result URLs were actually useful, and a short reason why. - **missingContent** — **the most important field.** An ARRAY of specific pieces of content you expected to find but didn't. One entry per missing piece, each with a short `topic` and an optional longer `description`. Examples: `{"topic":"enterprise pricing","description":"no pricing tier table for the Enterprise plan was returned"}`, `{"topic":"API rate limits"}`, `{"topic":"comparison vs competitors"}`. **Be specific** — these aggregate across teams and tell us what to index next. Do not pack multiple topics into one entry. - **querySuggestions** — how the query or response shape could be improved (e.g. "would have liked official docs first", "should boost github.com"). **Substantive-feedback requirement** (zero-effort feedback is rejected with HTTP 400): - `good` — must include at least one `valuableSources` entry - `partial` — must include `valuableSources` or at least one `missingContent` entry - `bad` — must include at least one `missingContent` entry or `querySuggestions` **Time window:** Feedback must be submitted within ~2 minutes of the search. Beyond that, the call returns HTTP 409 with `feedbackErrorCode: "FEEDBACK_WINDOW_EXPIRED"` — do not retry, just move on. Same goes for any 4xx response: do not retry-loop. **Behaviors:** - Idempotent per `searchId`. Re-submitting for the same id returns `alreadySubmitted: true` with `creditsRefunded: 0`. - Refund only applies to billable searches; preview teams are blocked. - Failed searches cannot receive feedback (the search itself already returned an error you can act on). - **Daily refund cap (per team, per UTC day, default 100 credits).** Once a team's `creditsRefundedToday` reaches `dailyRefundCap`, the response returns `dailyCapReached: true` with `creditsRefunded: 0`. The feedback is still recorded for search-quality improvement — only the credit refund is gated. **Stop calling this tool for the rest of the UTC day** when you see `dailyCapReached: true`. **When to call:** Right after processing a search result. If the result didn't help, send rating `bad` with a clear `missingContent` — that is just as valuable as a `good` rating. **Usage Example (good rating with valuable sources + missing content):** ```json { "name": "firecrawl_search_feedback", "arguments": { "searchId": "0193f6c5-1234-7890-abcd-1234567890ab", "rating": "good", "valuableSources": [ { "url": "https://docs.firecrawl.dev/features/search", "reason": "Most up-to-date description of /search." } ], "missingContent": [ { "topic": "Pricing for the search endpoint", "description": "No pricing tier table for /search specifically." }, { "topic": "Rate limits", "description": "Per-team RPS for /search not documented." } ], "querySuggestions": "Boost docs.firecrawl.dev for queries that mention 'firecrawl'" } } ``` **Usage Example (bad rating, what was missing):** ```json { "name": "firecrawl_search_feedback", "arguments": { "searchId": "0193f6c5-1234-7890-abcd-1234567890ab", "rating": "bad", "missingContent": [ { "topic": "Recent benchmarks", "description": "All results were >12 months old." }, { "topic": "Comparison vs Algolia" } ] } } ``` **Returns:** `{ success, feedbackId, creditsRefunded, creditsRefundedToday, dailyRefundCap, dailyCapReached?, alreadySubmitted?, warning? }` JSON. " -- this tool pulls externally-controlled content into the agent's context window, the canonical indirect-injection vector. Even when the user supplies the URL, content at that URL can carry hostile instructions.

    fix: Sandbox the fetched content: strip prompts before forwarding to the model, constrain to an allow-list of domains, and route through capframe-guard with a `domain in [...]` caveat.

  18. medium
    Tool `firecrawl_crawl` accepts unconstrained string input· firecrawl_crawlunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `prompt`, `sitemap`, `url`, `webhook`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  19. medium
    Tool `firecrawl_crawl` fetches external web content -- indirect-injection surface· firecrawl_crawlindirect injection

    Description: " Starts a crawl job on a website and extracts content from all pages. **Best for:** Extracting content from multiple related pages, when you need comprehensive coverage. **Not recommended for:** Extracting content from a single page (use scrape); when token limits are a concern (use map + batch_scrape); when you need fast results (crawling can be slow). **Warning:** Crawl responses can be very large and may exceed token limits. Limit the crawl depth and number of pages, or use map + batch_scrape for better control. **Common mistakes:** Setting limit or maxDiscoveryDepth too high (causes token overflow) or too low (causes missing pages); using crawl for a single page (use scrape instead). Using a /* wildcard is not recommended. **Prompt Example:** "Get all blog posts from the first two levels of example.com/blog." **Usage Example:** ```json { "name": "firecrawl_crawl", "arguments": { "url": "https://example.com/blog/*", "maxDiscoveryDepth": 5, "limit": 20, "allowExternalLinks": false, "deduplicateSimilarURLs": true, "sitemap": "include" } } ``` **Returns:** Operation ID for status checking; use firecrawl_check_crawl_status to check progress. " -- this tool pulls externally-controlled content into the agent's context window, the canonical indirect-injection vector. Even when the user supplies the URL, content at that URL can carry hostile instructions.

    fix: Sandbox the fetched content: strip prompts before forwarding to the model, constrain to an allow-list of domains, and route through capframe-guard with a `domain in [...]` caveat.

  20. medium
    Tool `firecrawl_check_crawl_status` accepts unconstrained string input· firecrawl_check_crawl_statusunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `id`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  21. medium
    Tool `firecrawl_check_crawl_status` fetches external web content -- indirect-injection surface· firecrawl_check_crawl_statusindirect injection

    Description: " Check the status of a crawl job. **Usage Example:** ```json { "name": "firecrawl_check_crawl_status", "arguments": { "id": "550e8400-e29b-41d4-a716-446655440000" } } ``` **Returns:** Status and progress of the crawl job, including results if available. " -- this tool pulls externally-controlled content into the agent's context window, the canonical indirect-injection vector. Even when the user supplies the URL, content at that URL can carry hostile instructions.

    fix: Sandbox the fetched content: strip prompts before forwarding to the model, constrain to an allow-list of domains, and route through capframe-guard with a `domain in [...]` caveat.

  22. medium
    Tool `firecrawl_extract` accepts unconstrained string input· firecrawl_extractunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `prompt`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  23. medium
    Tool `firecrawl_extract` fetches external web content -- indirect-injection surface· firecrawl_extractindirect injection

    Description: " Extract structured information from web pages using LLM capabilities. Supports both cloud AI and self-hosted LLM extraction. **Best for:** Extracting specific structured data like prices, names, details from web pages. **Not recommended for:** When you need the full content of a page (use scrape); when you're not looking for specific structured data. **Arguments:** - urls: Array of URLs to extract information from - prompt: Custom prompt for the LLM extraction - schema: JSON schema for structured data extraction - allowExternalLinks: Allow extraction from external links - enableWebSearch: Enable web search for additional context - includeSubdomains: Include subdomains in extraction **Prompt Example:** "Extract the product name, price, and description from these product pages." **Usage Example:** ```json { "name": "firecrawl_extract", "arguments": { "urls": ["https://example.com/page1", "https://example.com/page2"], "prompt": "Extract product information including name, price, and description", "schema": { "type": "object", "properties": { "name": { "type": "string" }, "price": { "type": "number" }, "description": { "type": "string" } }, "required": ["name", "price"] }, "allowExternalLinks": false, "enableWebSearch": false, "includeSubdomains": false } } ``` **Returns:** Extracted structured data as defined by your schema. " -- this tool pulls externally-controlled content into the agent's context window, the canonical indirect-injection vector. Even when the user supplies the URL, content at that URL can carry hostile instructions.

    fix: Sandbox the fetched content: strip prompts before forwarding to the model, constrain to an allow-list of domains, and route through capframe-guard with a `domain in [...]` caveat.

  24. medium
    Tool `firecrawl_agent` fetches external web content -- indirect-injection surface· firecrawl_agentindirect injection

    Description: " Autonomous web research agent. This is a separate AI agent layer that independently browses the internet, searches for information, navigates through pages, and extracts structured data based on your query. You describe what you need, and the agent figures out where to find it. **How it works:** The agent performs web searches, follows links, reads pages, and gathers data autonomously. This runs **asynchronously** - it returns a job ID immediately, and you poll `firecrawl_agent_status` to check when complete and retrieve results. **IMPORTANT - Async workflow with patient polling:** 1. Call `firecrawl_agent` with your prompt/schema → returns job ID immediately 2. Poll `firecrawl_agent_status` with the job ID to check progress 3. **Keep polling for at least 2-3 minutes** - agent research typically takes 1-5 minutes for complex queries 4. Poll every 15-30 seconds until status is "completed" or "failed" 5. Do NOT give up after just a few polling attempts - the agent needs time to research **Expected wait times:** - Simple queries with provided URLs: 30 seconds - 1 minute - Complex research across multiple sites: 2-5 minutes - Deep research tasks: 5+ minutes **Best for:** Complex research tasks where you don't know the exact URLs; multi-source data gathering; finding information scattered across the web; extracting data from JavaScript-heavy SPAs that fail with regular scrape. **Not recommended for:** - Single-page extraction when you have a URL (use firecrawl_scrape, faster and cheaper) - Web search (use firecrawl_search first) - Interactive page tasks like clicking, filling forms, login, or navigating JS-heavy SPAs (use firecrawl_scrape + firecrawl_interact) - Extracting specific data from a known page (use firecrawl_scrape with JSON format) **Arguments:** - prompt: Natural language description of the data you want (required, max 10,000 characters) - urls: Optional array of URLs to focus the agent on specific pages - schema: Optional JSON schema for structured output **Prompt Example:** "Find the founders of Firecrawl and their backgrounds" **Usage Example (start agent, then poll patiently for results):** ```json { "name": "firecrawl_agent", "arguments": { "prompt": "Find the top 5 AI startups founded in 2024 and their funding amounts", "schema": { "type": "object", "properties": { "startups": { "type": "array", "items": { "type": "object", "properties": { "name": { "type": "string" }, "funding": { "type": "string" }, "founded": { "type": "string" } } } } } } } } ``` Then poll with `firecrawl_agent_status` every 15-30 seconds for at least 2-3 minutes. **Usage Example (with URLs - agent focuses on specific pages):** ```json { "name": "firecrawl_agent", "arguments": { "urls": ["https://docs.firecrawl.dev", "https://firecrawl.dev/pricing"], "prompt": "Compare the features and pricing information from these pages" } } ``` **Returns:** Job ID for status checking. Use `firecrawl_agent_status` to poll for results. " -- this tool pulls externally-controlled content into the agent's context window, the canonical indirect-injection vector. Even when the user supplies the URL, content at that URL can carry hostile instructions.

    fix: Sandbox the fetched content: strip prompts before forwarding to the model, constrain to an allow-list of domains, and route through capframe-guard with a `domain in [...]` caveat.

  25. medium
    Tool `firecrawl_agent_status` accepts unconstrained string input· firecrawl_agent_statusunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `id`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  26. medium
    Tool `firecrawl_agent_status` fetches external web content -- indirect-injection surface· firecrawl_agent_statusindirect injection

    Description: " Check the status of an agent job and retrieve results when complete. Use this to poll for results after starting an agent with `firecrawl_agent`. **IMPORTANT - Be patient with polling:** - Poll every 15-30 seconds - **Keep polling for at least 2-3 minutes** before considering the request failed - Complex research can take 5+ minutes - do not give up early - Only stop polling when status is "completed" or "failed" **Usage Example:** ```json { "name": "firecrawl_agent_status", "arguments": { "id": "550e8400-e29b-41d4-a716-446655440000" } } ``` **Possible statuses:** - processing: Agent is still researching - keep polling, do not give up - completed: Research finished - response includes the extracted data - failed: An error occurred (only stop polling on this status) **Returns:** Status, progress, and results (if completed) of the agent job. " -- this tool pulls externally-controlled content into the agent's context window, the canonical indirect-injection vector. Even when the user supplies the URL, content at that URL can carry hostile instructions.

    fix: Sandbox the fetched content: strip prompts before forwarding to the model, constrain to an allow-list of domains, and route through capframe-guard with a `domain in [...]` caveat.

  27. medium
    Tool `firecrawl_interact` accepts unconstrained string input· firecrawl_interactunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `code`, `language`, `prompt`, `scrapeId`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  28. medium
    Tool `firecrawl_interact` fetches external web content -- indirect-injection surface· firecrawl_interactindirect injection

    Description: " Interact with a previously scraped page in a live browser session. Scrape a page first with firecrawl_scrape, then use the returned scrapeId to click buttons, fill forms, extract dynamic content, or navigate deeper. **Best for:** Multi-step workflows on a single page — searching a site, clicking through results, filling forms, extracting data that requires interaction. **Requires:** A scrapeId from a previous firecrawl_scrape call (found in the metadata of the scrape response). **Arguments:** - scrapeId: The scrape job ID from a previous scrape (required) - prompt: Natural language instruction describing the action to take (use this OR code) - code: Code to execute in the browser session (use this OR prompt) - language: "bash", "python", or "node" (optional, defaults to "node", only used with code) - timeout: Execution timeout in seconds, 1-300 (optional, defaults to 30) **Usage Example (prompt):** ```json { "name": "firecrawl_interact", "arguments": { "scrapeId": "scrape-id-from-previous-scrape", "prompt": "Click on the first product and tell me its price" } } ``` **Usage Example (code):** ```json { "name": "firecrawl_interact", "arguments": { "scrapeId": "scrape-id-from-previous-scrape", "code": "agent-browser click @e5", "language": "bash" } } ``` **Returns:** Execution result including output, stdout, stderr, exit code, and live view URLs. " -- this tool pulls externally-controlled content into the agent's context window, the canonical indirect-injection vector. Even when the user supplies the URL, content at that URL can carry hostile instructions.

    fix: Sandbox the fetched content: strip prompts before forwarding to the model, constrain to an allow-list of domains, and route through capframe-guard with a `domain in [...]` caveat.

  29. medium
    Tool `firecrawl_interact_stop` accepts unconstrained string input· firecrawl_interact_stopunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `scrapeId`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  30. medium
    Tool `firecrawl_interact_stop` fetches external web content -- indirect-injection surface· firecrawl_interact_stopindirect injection

    Description: " Stop an interact session for a scraped page. Call this when you are done interacting to free resources. **Usage Example:** ```json { "name": "firecrawl_interact_stop", "arguments": { "scrapeId": "scrape-id-here" } } ``` **Returns:** Success confirmation. " -- this tool pulls externally-controlled content into the agent's context window, the canonical indirect-injection vector. Even when the user supplies the URL, content at that URL can carry hostile instructions.

    fix: Sandbox the fetched content: strip prompts before forwarding to the model, constrain to an allow-list of domains, and route through capframe-guard with a `domain in [...]` caveat.

  31. medium
    Tool `firecrawl_parse` accepts unconstrained string input· firecrawl_parseunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `contentType`, `filePath`, `proxy`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  32. medium
    Tool `firecrawl_parse` description mentions money but no `money` side-effect is declared· firecrawl_parseexcessive agency

    Description: " Parse a file from the local filesystem using a self-hosted Firecrawl API's /v2/parse endpoint. This is the fastest and most reliable way to extract content from a document on disk — if the file lives locally and the MCP is pointed at a self-hosted Firecrawl instance, you should always prefer this tool over uploading the file elsewhere and then scraping it. **Best for:** Extracting content from a local document (PDF, Word, Excel, HTML, etc.) when you don't want to host it on the public web first; pulling structured data out of a file with JSON format; converting binary documents into markdown for downstream reasoning. **Not recommended for:** Remote URLs (use firecrawl_scrape); multiple files at once (call parse multiple times); documents that require interactive actions, screenshots, or change tracking — those aren't supported by the parse endpoint. **Common mistakes:** Passing a URL instead of a local file path; requesting an unsupported format (screenshot, branding, changeTracking); setting waitFor, location, mobile, or a non-basic/auto proxy — parse uploads reject all of those. **Supported file types:** .html, .htm, .xhtml, .pdf, .docx, .doc, .odt, .rtf, .xlsx, .xls **Unsupported options:** actions, screenshot/branding/changeTracking formats, waitFor > 0, location, mobile, proxy values other than "auto" or "basic". **Privacy:** Set `redactPII: true` to return content with personally identifiable information redacted. **CRITICAL - Format Selection (same rules as firecrawl_scrape):** When the user asks for SPECIFIC data points from a document, you MUST use JSON format with a schema. Only use markdown when the user needs the ENTIRE document content. **Use JSON format when the user asks for:** - Specific fields, parameters, or values from a form / PDF / spreadsheet - Prices, numbers, or other structured data - Lists of items or properties **Use markdown format when:** - User wants to read, summarize, or analyze the full document - User explicitly asks for the complete content **Handling PDFs:** Add `"parsers": ["pdf"]` (optionally with `pdfOptions.maxPages`) when parsing a PDF so the PDF engine is invoked explicitly. For very long documents, cap `maxPages` to keep the response within token limits. **Usage Example (markdown from a local PDF):** ```json { "name": "firecrawl_parse", "arguments": { "filePath": "/absolute/path/to/document.pdf", "formats": ["markdown"], "parsers": ["pdf"], "onlyMainContent": true } } ``` **Usage Example (structured JSON extraction from a local HTML file):** ```json { "name": "firecrawl_parse", "arguments": { "filePath": "./invoice.html", "formats": ["json"], "jsonOptions": { "prompt": "Extract the invoice number, total, and line items", "schema": { "type": "object", "properties": { "invoiceNumber": { "type": "string" }, "total": { "type": "number" }, "lineItems": { "type": "array", "items": { "type": "object", "properties": { "description": { "type": "string" }, "amount": { "type": "number" } } } } } } } } } ``` **Returns:** A parsed document with markdown, html, links, summary, json, or query results depending on the requested formats. " -- this references money/payment/refund/etc., but the declared side_effects ([]) don't include `money`. A capframe-bind policy that relies on declared side_effects to scope spend caveats will under-scope this tool.

    fix: Add `money` to the tool's `side_effects` declaration, or rewrite the description to clarify that no actual money moves.

  33. medium
    Tool `firecrawl_parse` fetches external web content -- indirect-injection surface· firecrawl_parseindirect injection

    Description: " Parse a file from the local filesystem using a self-hosted Firecrawl API's /v2/parse endpoint. This is the fastest and most reliable way to extract content from a document on disk — if the file lives locally and the MCP is pointed at a self-hosted Firecrawl instance, you should always prefer this tool over uploading the file elsewhere and then scraping it. **Best for:** Extracting content from a local document (PDF, Word, Excel, HTML, etc.) when you don't want to host it on the public web first; pulling structured data out of a file with JSON format; converting binary documents into markdown for downstream reasoning. **Not recommended for:** Remote URLs (use firecrawl_scrape); multiple files at once (call parse multiple times); documents that require interactive actions, screenshots, or change tracking — those aren't supported by the parse endpoint. **Common mistakes:** Passing a URL instead of a local file path; requesting an unsupported format (screenshot, branding, changeTracking); setting waitFor, location, mobile, or a non-basic/auto proxy — parse uploads reject all of those. **Supported file types:** .html, .htm, .xhtml, .pdf, .docx, .doc, .odt, .rtf, .xlsx, .xls **Unsupported options:** actions, screenshot/branding/changeTracking formats, waitFor > 0, location, mobile, proxy values other than "auto" or "basic". **Privacy:** Set `redactPII: true` to return content with personally identifiable information redacted. **CRITICAL - Format Selection (same rules as firecrawl_scrape):** When the user asks for SPECIFIC data points from a document, you MUST use JSON format with a schema. Only use markdown when the user needs the ENTIRE document content. **Use JSON format when the user asks for:** - Specific fields, parameters, or values from a form / PDF / spreadsheet - Prices, numbers, or other structured data - Lists of items or properties **Use markdown format when:** - User wants to read, summarize, or analyze the full document - User explicitly asks for the complete content **Handling PDFs:** Add `"parsers": ["pdf"]` (optionally with `pdfOptions.maxPages`) when parsing a PDF so the PDF engine is invoked explicitly. For very long documents, cap `maxPages` to keep the response within token limits. **Usage Example (markdown from a local PDF):** ```json { "name": "firecrawl_parse", "arguments": { "filePath": "/absolute/path/to/document.pdf", "formats": ["markdown"], "parsers": ["pdf"], "onlyMainContent": true } } ``` **Usage Example (structured JSON extraction from a local HTML file):** ```json { "name": "firecrawl_parse", "arguments": { "filePath": "./invoice.html", "formats": ["json"], "jsonOptions": { "prompt": "Extract the invoice number, total, and line items", "schema": { "type": "object", "properties": { "invoiceNumber": { "type": "string" }, "total": { "type": "number" }, "lineItems": { "type": "array", "items": { "type": "object", "properties": { "description": { "type": "string" }, "amount": { "type": "number" } } } } } } } } } ``` **Returns:** A parsed document with markdown, html, links, summary, json, or query results depending on the requested formats. " -- this tool pulls externally-controlled content into the agent's context window, the canonical indirect-injection vector. Even when the user supplies the URL, content at that URL can carry hostile instructions.

    fix: Sandbox the fetched content: strip prompts before forwarding to the model, constrain to an allow-list of domains, and route through capframe-guard with a `domain in [...]` caveat.

  34. medium
    Tool `firecrawl_monitor_create` accepts unconstrained string input· firecrawl_monitor_createunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `email`, `goal`, `name`, `page`, `scheduleText`, `timezone`, `webhookUrl`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  35. medium
    Tool `firecrawl_monitor_create` description mentions money but no `money` side-effect is declared· firecrawl_monitor_createexcessive agency

    Description: " Create a Firecrawl monitor — a recurring scrape or crawl that diffs each result against the last retained snapshot. Prefer the simple path: pass `page` or `pages` plus `goal`. The tool will create a scrape monitor with a 30-minute schedule and meaningful-change judging enabled by the API. Use `body` only for advanced requests such as crawl targets, JSON change tracking, custom retention, or manual `judgeEnabled` control. Meaningful-change judge: set `goal` to a plain-language description of what the user actually cares about. `judgeEnabled` defaults to true when `goal` is set, so providing `goal` is enough. Page webhooks expose `isMeaningful` and `judgment` on `monitor.page` events. Simple fields: - `page`: one page URL to monitor. - `pages`: multiple page URLs to monitor. - `goal`: plain-English instruction for what changes matter. Required for the simple path. - `scheduleText`: optional natural-language schedule, default `every 30 minutes`. - `email`: optional email recipient for summaries. - `webhookUrl`: optional webhook URL. Configures `monitor.page` and `monitor.check.completed`. Goal guidance: - Expand the user's one-line monitoring intent into a concise 2-3 sentence monitor goal. - State what should trigger an alert, restate any scope the user gave, and include intent-specific exclusions only when obvious from the user's request. - Generic noise such as whitespace, formatting-only changes, request IDs, tracking params, generic metadata, and unrelated page chrome is already handled by the judge; do not repeat it in every goal. - If the user is vague, keep the goal broad rather than guessing exclusions. If the user asks for broad monitoring or "any change", preserve that and do not add exclusions that hide changes. - If the user says they do not care about something, include that explicitly. It is okay to ask whether they want to ignore specific noise when it is likely to matter. - Do not invent page-specific sections, thresholds, entities, or business rules unless the user mentioned them. Full `body` requests require: `name`, `schedule` (with `cron` or `text`), and `targets` (one or more `{ type: 'scrape', urls: [...] }` or `{ type: 'crawl', url: '...' }`). Optional: `goal`, `judgeEnabled`, `webhook`, `notification`, `retentionDays`. **Markdown-mode (default):** Each check produces a unified text diff of the page's markdown. No extra configuration needed. ```json { "name": "firecrawl_monitor_create", "arguments": { "page": "https://example.com/blog", "goal": "Alert when a new blog post is published or an existing headline changes.", "email": "alerts@example.com" } } ``` **Multiple pages:** ```json { "name": "firecrawl_monitor_create", "arguments": { "pages": ["https://example.com/pricing", "https://example.com/changelog"], "goal": "Alert when pricing, packaging, or launch messaging changes.", "webhookUrl": "https://example.com/webhooks/firecrawl" } } ``` **JSON-mode change tracking:** To detect changes in **specific structured fields** (price, headline, in-stock flag, list items) instead of the whole page, add a `changeTracking` format with `modes: ["json"]` and a JSON schema to the target's `scrapeOptions.formats`. The check response will then carry a per-field diff (keyed by JSON path, e.g. `plans[0].price`) and a `snapshot.json` with the full current extraction. See `firecrawl_monitor_check` for the response shape. ```json { "name": "firecrawl_monitor_create", "arguments": { "body": { "name": "Pricing watch", "schedule": { "text": "hourly", "timezone": "UTC" }, "goal": "Alert when a pricing tier, price, billing period, limit, or headline feature changes. Ignore unrelated marketing copy unless it changes the pricing offer.", "targets": [{ "type": "scrape", "urls": ["https://example.com/pricing"], "scrapeOptions": { "formats": [{ "type": "changeTracking", "modes": ["json"], "prompt": "Extract pricing tiers and headline features for each plan.", "schema": { "type": "object", "properties": { "plans": { "type": "array", "items": { "type": "object", "properties": { "name": { "type": "string" }, "price": { "type": "string" }, "features": { "type": "array", "items": { "type": "string" } } } } } } } }] } }] } } } ``` **Mixed mode (JSON + git-diff):** Use `modes: ["json", "git-diff"]` to get both per-field diffs and a markdown sidecar. The page is marked `changed` whenever either surface changed. " -- this references money/payment/refund/etc., but the declared side_effects ([]) don't include `money`. A capframe-bind policy that relies on declared side_effects to scope spend caveats will under-scope this tool.

    fix: Add `money` to the tool's `side_effects` declaration, or rewrite the description to clarify that no actual money moves.

  36. medium
    Tool `firecrawl_monitor_create` fetches external web content -- indirect-injection surface· firecrawl_monitor_createindirect injection

    Description: " Create a Firecrawl monitor — a recurring scrape or crawl that diffs each result against the last retained snapshot. Prefer the simple path: pass `page` or `pages` plus `goal`. The tool will create a scrape monitor with a 30-minute schedule and meaningful-change judging enabled by the API. Use `body` only for advanced requests such as crawl targets, JSON change tracking, custom retention, or manual `judgeEnabled` control. Meaningful-change judge: set `goal` to a plain-language description of what the user actually cares about. `judgeEnabled` defaults to true when `goal` is set, so providing `goal` is enough. Page webhooks expose `isMeaningful` and `judgment` on `monitor.page` events. Simple fields: - `page`: one page URL to monitor. - `pages`: multiple page URLs to monitor. - `goal`: plain-English instruction for what changes matter. Required for the simple path. - `scheduleText`: optional natural-language schedule, default `every 30 minutes`. - `email`: optional email recipient for summaries. - `webhookUrl`: optional webhook URL. Configures `monitor.page` and `monitor.check.completed`. Goal guidance: - Expand the user's one-line monitoring intent into a concise 2-3 sentence monitor goal. - State what should trigger an alert, restate any scope the user gave, and include intent-specific exclusions only when obvious from the user's request. - Generic noise such as whitespace, formatting-only changes, request IDs, tracking params, generic metadata, and unrelated page chrome is already handled by the judge; do not repeat it in every goal. - If the user is vague, keep the goal broad rather than guessing exclusions. If the user asks for broad monitoring or "any change", preserve that and do not add exclusions that hide changes. - If the user says they do not care about something, include that explicitly. It is okay to ask whether they want to ignore specific noise when it is likely to matter. - Do not invent page-specific sections, thresholds, entities, or business rules unless the user mentioned them. Full `body` requests require: `name`, `schedule` (with `cron` or `text`), and `targets` (one or more `{ type: 'scrape', urls: [...] }` or `{ type: 'crawl', url: '...' }`). Optional: `goal`, `judgeEnabled`, `webhook`, `notification`, `retentionDays`. **Markdown-mode (default):** Each check produces a unified text diff of the page's markdown. No extra configuration needed. ```json { "name": "firecrawl_monitor_create", "arguments": { "page": "https://example.com/blog", "goal": "Alert when a new blog post is published or an existing headline changes.", "email": "alerts@example.com" } } ``` **Multiple pages:** ```json { "name": "firecrawl_monitor_create", "arguments": { "pages": ["https://example.com/pricing", "https://example.com/changelog"], "goal": "Alert when pricing, packaging, or launch messaging changes.", "webhookUrl": "https://example.com/webhooks/firecrawl" } } ``` **JSON-mode change tracking:** To detect changes in **specific structured fields** (price, headline, in-stock flag, list items) instead of the whole page, add a `changeTracking` format with `modes: ["json"]` and a JSON schema to the target's `scrapeOptions.formats`. The check response will then carry a per-field diff (keyed by JSON path, e.g. `plans[0].price`) and a `snapshot.json` with the full current extraction. See `firecrawl_monitor_check` for the response shape. ```json { "name": "firecrawl_monitor_create", "arguments": { "body": { "name": "Pricing watch", "schedule": { "text": "hourly", "timezone": "UTC" }, "goal": "Alert when a pricing tier, price, billing period, limit, or headline feature changes. Ignore unrelated marketing copy unless it changes the pricing offer.", "targets": [{ "type": "scrape", "urls": ["https://example.com/pricing"], "scrapeOptions": { "formats": [{ "type": "changeTracking", "modes": ["json"], "prompt": "Extract pricing tiers and headline features for each plan.", "schema": { "type": "object", "properties": { "plans": { "type": "array", "items": { "type": "object", "properties": { "name": { "type": "string" }, "price": { "type": "string" }, "features": { "type": "array", "items": { "type": "string" } } } } } } } }] } }] } } } ``` **Mixed mode (JSON + git-diff):** Use `modes: ["json", "git-diff"]` to get both per-field diffs and a markdown sidecar. The page is marked `changed` whenever either surface changed. " -- this tool pulls externally-controlled content into the agent's context window, the canonical indirect-injection vector. Even when the user supplies the URL, content at that URL can carry hostile instructions.

    fix: Sandbox the fetched content: strip prompts before forwarding to the model, constrain to an allow-list of domains, and route through capframe-guard with a `domain in [...]` caveat.

  37. medium
    Tool `firecrawl_monitor_list` fetches external web content -- indirect-injection surface· firecrawl_monitor_listindirect injection

    Description: " List all Firecrawl monitors for the authenticated account. **Usage Example:** ```json { "name": "firecrawl_monitor_list", "arguments": { "limit": 20 } } ``` " -- this tool pulls externally-controlled content into the agent's context window, the canonical indirect-injection vector. Even when the user supplies the URL, content at that URL can carry hostile instructions.

    fix: Sandbox the fetched content: strip prompts before forwarding to the model, constrain to an allow-list of domains, and route through capframe-guard with a `domain in [...]` caveat.

  38. medium
    Tool `firecrawl_monitor_get` accepts unconstrained string input· firecrawl_monitor_getunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `id`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  39. medium
    Tool `firecrawl_monitor_get` fetches external web content -- indirect-injection surface· firecrawl_monitor_getindirect injection

    Description: " Get a single monitor by ID. **Usage Example:** ```json { "name": "firecrawl_monitor_get", "arguments": { "id": "mon_abc123" } } ``` " -- this tool pulls externally-controlled content into the agent's context window, the canonical indirect-injection vector. Even when the user supplies the URL, content at that URL can carry hostile instructions.

    fix: Sandbox the fetched content: strip prompts before forwarding to the model, constrain to an allow-list of domains, and route through capframe-guard with a `domain in [...]` caveat.

  40. medium
    Tool `firecrawl_monitor_update` accepts unconstrained string input· firecrawl_monitor_updateunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `id`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  41. medium
    Tool `firecrawl_monitor_update` fetches external web content -- indirect-injection surface· firecrawl_monitor_updateindirect injection

    Description: " Update a monitor. Pass any subset of fields to patch: `name`, `status` ("active" | "paused"), `schedule`, `targets`, `goal`, `judgeEnabled`, `webhook`, `notification`, `retentionDays`. **Usage Example:** ```json { "name": "firecrawl_monitor_update", "arguments": { "id": "mon_abc123", "body": { "status": "paused" } } } ``` " -- this tool pulls externally-controlled content into the agent's context window, the canonical indirect-injection vector. Even when the user supplies the URL, content at that URL can carry hostile instructions.

    fix: Sandbox the fetched content: strip prompts before forwarding to the model, constrain to an allow-list of domains, and route through capframe-guard with a `domain in [...]` caveat.

  42. medium
    Tool `firecrawl_monitor_delete` accepts unconstrained string input· firecrawl_monitor_deleteunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `id`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  43. medium
    Tool `firecrawl_monitor_delete` fetches external web content -- indirect-injection surface· firecrawl_monitor_deleteindirect injection

    Description: " Permanently delete a monitor and stop its schedule. This cannot be undone. **Usage Example:** ```json { "name": "firecrawl_monitor_delete", "arguments": { "id": "mon_abc123" } } ``` " -- this tool pulls externally-controlled content into the agent's context window, the canonical indirect-injection vector. Even when the user supplies the URL, content at that URL can carry hostile instructions.

    fix: Sandbox the fetched content: strip prompts before forwarding to the model, constrain to an allow-list of domains, and route through capframe-guard with a `domain in [...]` caveat.

  44. medium
    Tool `firecrawl_monitor_run` accepts unconstrained string input· firecrawl_monitor_rununconstrained input

    The following string parameter(s) have no `maxLength` constraint: `id`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  45. medium
    Tool `firecrawl_monitor_run` fetches external web content -- indirect-injection surface· firecrawl_monitor_runindirect injection

    Description: " Trigger a monitor check immediately, outside its normal schedule. Returns the queued check. **Usage Example:** ```json { "name": "firecrawl_monitor_run", "arguments": { "id": "mon_abc123" } } ``` " -- this tool pulls externally-controlled content into the agent's context window, the canonical indirect-injection vector. Even when the user supplies the URL, content at that URL can carry hostile instructions.

    fix: Sandbox the fetched content: strip prompts before forwarding to the model, constrain to an allow-list of domains, and route through capframe-guard with a `domain in [...]` caveat.

  46. medium
    Tool `firecrawl_monitor_checks` accepts unconstrained string input· firecrawl_monitor_checksunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `id`, `status`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  47. medium
    Tool `firecrawl_monitor_checks` fetches external web content -- indirect-injection surface· firecrawl_monitor_checksindirect injection

    Description: " List historical checks for a monitor. **Usage Example:** ```json { "name": "firecrawl_monitor_checks", "arguments": { "id": "mon_abc123", "limit": 10, "status": "completed" } } ``` " -- this tool pulls externally-controlled content into the agent's context window, the canonical indirect-injection vector. Even when the user supplies the URL, content at that URL can carry hostile instructions.

    fix: Sandbox the fetched content: strip prompts before forwarding to the model, constrain to an allow-list of domains, and route through capframe-guard with a `domain in [...]` caveat.

  48. medium
    Tool `firecrawl_monitor_check` accepts unconstrained string input· firecrawl_monitor_checkunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `checkId`, `id`, `pageStatus`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  49. medium
    Tool `firecrawl_monitor_check` fetches external web content -- indirect-injection surface· firecrawl_monitor_checkindirect injection

    Description: " Get a single check with page-level diff results. Filter `pageStatus` to surface only the pages that changed (or were new, removed, etc.). Each entry in `data.pages[]` has `url`, `status` (`same` | `new` | `changed` | `removed` | `error`), optional `judgment` when goal-based judging ran, and — when changed — a `diff` and possibly a `snapshot`. The shape of `diff` depends on the monitor's `formats` configuration: - **Markdown mode (default).** `diff.text` is the unified markdown diff; `diff.json` is a parse-diff AST (`{ files: [...] }`). No `snapshot`. - **JSON mode** (`changeTracking` with `modes: ["json"]`). `diff.json` is a per-field map keyed by JSON path into the extraction, e.g. `plans[0].price`, with each value being `{ previous, current }`. `snapshot.json` is the full current extraction. No `diff.text`. - **Mixed mode** (`modes: ["json", "git-diff"]`). Both `diff.text` (markdown sidecar) AND `diff.json` (per-field map) are present, plus `snapshot.json`. **Example JSON-mode response `pages[]` entry:** ```json { "url": "https://example.com/pricing", "status": "changed", "diff": { "json": { "plans[0].price": { "previous": "$19/mo", "current": "$24/mo" }, "plans[1].features[2]": { "previous": "10 GB storage", "current": "25 GB storage" } } }, "snapshot": { "json": { "plans": [/* current full extraction matching the monitor's schema */] } }, "judgment": { "meaningful": true, "confidence": "high", "reason": "The pricing changed, which matches the monitor goal.", "meaningfulChanges": [ { "type": "changed", "before": "$19/mo", "after": "$24/mo", "reason": "The tracked plan price changed." } ] } } ``` When summarizing a check for the user, prefer `diff.json` paths (e.g. "plans[0].price changed from $19/mo to $24/mo") over re-printing the markdown diff — it's more concise and grounded in the schema fields they asked for. When `judgment` is present, use it to decide what to surface. `judgment.meaningful: false` means the change was classified as noise for the monitor's goal. When `judgment.meaningfulChanges` is present, prefer those goal-relevant changes over raw diff hunks; each item includes `type`, `before`, `after`, and `reason`. The endpoint paginates via a top-level `next` URL; this tool returns one page at a time. Increase `limit` (max 100) to fetch fewer pages. **Usage Example:** ```json { "name": "firecrawl_monitor_check", "arguments": { "id": "mon_abc123", "checkId": "chk_xyz", "pageStatus": "changed" } } ``` " -- this tool pulls externally-controlled content into the agent's context window, the canonical indirect-injection vector. Even when the user supplies the URL, content at that URL can carry hostile instructions.

    fix: Sandbox the fetched content: strip prompts before forwarding to the model, constrain to an allow-list of domains, and route through capframe-guard with a `domain in [...]` caveat.

How this was scored

Source sandbox live tools/list captured in an ephemeral Docker container (parameter schemas included → R1/R2/R4 fire). Findings are emitted by the public capframe.findings.v1 schema. Score = 100 − (10·Critical + 4·High + 2·Medium + 1·Low), clamped to [0, 100].

Disagree with a finding? Open an issue.