firecrawl_agent_status

2 findings on this tool

1. mediumunconstrained inputf-r1-firecrawl_agent_status

   Tool `firecrawl_agent_status` accepts unconstrained string input

   The following string parameter(s) have no `maxLength` constraint: `id`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

   fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

   OWASP LLM01NIST MEASURE-2.3ATLAS T0051
2. mediumindirect injectionf-r6-firecrawl_agent_status

   Tool `firecrawl_agent_status` fetches external web content -- indirect-injection surface

   Description: " Check the status of an agent job and retrieve results when complete. Use this to poll for results after starting an agent with `firecrawl_agent`. **IMPORTANT - Be patient with polling:** - Poll every 15-30 seconds - **Keep polling for at least 2-3 minutes** before considering the request failed - Complex research can take 5+ minutes - do not give up early - Only stop polling when status is "completed" or "failed" **Usage Example:** ```json { "name": "firecrawl_agent_status", "arguments": { "id": "550e8400-e29b-41d4-a716-446655440000" } } ``` **Possible statuses:** - processing: Agent is still researching - keep polling, do not give up - completed: Research finished - response includes the extracted data - failed: An error occurred (only stop polling on this status) **Returns:** Status, progress, and results (if completed) of the agent job. " -- this tool pulls externally-controlled content into the agent's context window, the canonical indirect-injection vector. Even when the user supplies the URL, content at that URL can carry hostile instructions.

   fix: Sandbox the fetched content: strip prompts before forwarding to the model, constrain to an allow-list of domains, and route through capframe-guard with a `domain in [...]` caveat.

   OWASP LLM01NIST MEASURE-2.3ATLAS T0051