firecrawl_map

3 findings on this tool

1. highexcessive agencyf-r4-firecrawl_map

   Tool `firecrawl_map` accepts an unbounded monetary / quota value

   The numeric parameter(s) `limit` have a money/quota-shaped name but no `maximum` constraint. An LLM tricked by indirect-injection can call the tool with arbitrarily large values.

   fix: Add a `maximum` (and ideally `minimum`) to each money/quota numeric, OR enforce the cap via a capframe-bind `--limit` caveat at the agent boundary.

   OWASP LLM08NIST MANAGE-2.2ATLAS T0051
2. mediumunconstrained inputf-r1-firecrawl_map

   Tool `firecrawl_map` accepts unconstrained string input

   The following string parameter(s) have no `maxLength` constraint: `search`, `sitemap`, `url`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

   fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

   OWASP LLM01NIST MEASURE-2.3ATLAS T0051
3. mediumindirect injectionf-r6-firecrawl_map

   Tool `firecrawl_map` fetches external web content -- indirect-injection surface

   Description: " Map a website to discover all indexed URLs on the site. **Best for:** Discovering URLs on a website before deciding what to scrape; finding specific sections or pages within a large site; locating the correct page when scrape returns empty or incomplete results. **Not recommended for:** When you already know which specific URL you need (use scrape); when you need the content of the pages (use scrape after mapping). **Common mistakes:** Using crawl to discover URLs instead of map; jumping straight to firecrawl_agent when scrape fails instead of using map first to find the right page. **IMPORTANT - Use map before agent:** If `firecrawl_scrape` returns empty, minimal, or irrelevant content, use `firecrawl_map` with the `search` parameter to find the specific page URL containing your target content. This is faster and cheaper than using `firecrawl_agent`. Only use the agent as a last resort after map+scrape fails. **Prompt Example:** "Find the webhook documentation page on this API docs site." **Usage Example (discover all URLs):** ```json { "name": "firecrawl_map", "arguments": { "url": "https://example.com" } } ``` **Usage Example (search for specific content - RECOMMENDED when scrape fails):** ```json { "name": "firecrawl_map", "arguments": { "url": "https://docs.example.com/api", "search": "webhook events" } } ``` **Returns:** Array of URLs found on the site, filtered by search query if provided. " -- this tool pulls externally-controlled content into the agent's context window, the canonical indirect-injection vector. Even when the user supplies the URL, content at that URL can carry hostile instructions.

   fix: Sandbox the fetched content: strip prompts before forwarding to the model, constrain to an allow-list of domains, and route through capframe-guard with a `domain in [...]` caveat.

   OWASP LLM01NIST MEASURE-2.3ATLAS T0051