firecrawl_monitor_check

2 findings on this tool

1. mediumunconstrained inputf-r1-firecrawl_monitor_check

   Tool `firecrawl_monitor_check` accepts unconstrained string input

   The following string parameter(s) have no `maxLength` constraint: `checkId`, `id`, `pageStatus`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

   fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

   OWASP LLM01NIST MEASURE-2.3ATLAS T0051
2. mediumindirect injectionf-r6-firecrawl_monitor_check

   Tool `firecrawl_monitor_check` fetches external web content -- indirect-injection surface

   Description: " Get a single check with page-level diff results. Filter `pageStatus` to surface only the pages that changed (or were new, removed, etc.). Each entry in `data.pages[]` has `url`, `status` (`same` | `new` | `changed` | `removed` | `error`), optional `judgment` when goal-based judging ran, and — when changed — a `diff` and possibly a `snapshot`. The shape of `diff` depends on the monitor's `formats` configuration: - **Markdown mode (default).** `diff.text` is the unified markdown diff; `diff.json` is a parse-diff AST (`{ files: [...] }`). No `snapshot`. - **JSON mode** (`changeTracking` with `modes: ["json"]`). `diff.json` is a per-field map keyed by JSON path into the extraction, e.g. `plans[0].price`, with each value being `{ previous, current }`. `snapshot.json` is the full current extraction. No `diff.text`. - **Mixed mode** (`modes: ["json", "git-diff"]`). Both `diff.text` (markdown sidecar) AND `diff.json` (per-field map) are present, plus `snapshot.json`. **Example JSON-mode response `pages[]` entry:** ```json { "url": "https://example.com/pricing", "status": "changed", "diff": { "json": { "plans[0].price": { "previous": "$19/mo", "current": "$24/mo" }, "plans[1].features[2]": { "previous": "10 GB storage", "current": "25 GB storage" } } }, "snapshot": { "json": { "plans": [/* current full extraction matching the monitor's schema */] } }, "judgment": { "meaningful": true, "confidence": "high", "reason": "The pricing changed, which matches the monitor goal.", "meaningfulChanges": [ { "type": "changed", "before": "$19/mo", "after": "$24/mo", "reason": "The tracked plan price changed." } ] } } ``` When summarizing a check for the user, prefer `diff.json` paths (e.g. "plans[0].price changed from $19/mo to $24/mo") over re-printing the markdown diff — it's more concise and grounded in the schema fields they asked for. When `judgment` is present, use it to decide what to surface. `judgment.meaningful: false` means the change was classified as noise for the monitor's goal. When `judgment.meaningfulChanges` is present, prefer those goal-relevant changes over raw diff hunks; each item includes `type`, `before`, `after`, and `reason`. The endpoint paginates via a top-level `next` URL; this tool returns one page at a time. Increase `limit` (max 100) to fetch fewer pages. **Usage Example:** ```json { "name": "firecrawl_monitor_check", "arguments": { "id": "mon_abc123", "checkId": "chk_xyz", "pageStatus": "changed" } } ``` " -- this tool pulls externally-controlled content into the agent's context window, the canonical indirect-injection vector. Even when the user supplies the URL, content at that URL can carry hostile instructions.

   fix: Sandbox the fetched content: strip prompts before forwarding to the model, constrain to an allow-list of domains, and route through capframe-guard with a `domain in [...]` caveat.

   OWASP LLM01NIST MEASURE-2.3ATLAS T0051