v0.2.0 · live
CAPFRAME
← leaderboard/Firecrawl MCP/tool · firecrawl_search
§ toolsandboxFirecrawl MCP

firecrawl_search

on npm:firecrawl-mcp@3.20.2

Severity

critical0
high1
medium3
low0
info0

4 findings on this tool

  1. highexcessive agencyf-r4-firecrawl_search

    Tool `firecrawl_search` accepts an unbounded monetary / quota value

    The numeric parameter(s) `limit` have a money/quota-shaped name but no `maximum` constraint. An LLM tricked by indirect-injection can call the tool with arbitrarily large values.

    fix: Add a `maximum` (and ideally `minimum`) to each money/quota numeric, OR enforce the cap via a capframe-bind `--limit` caveat at the agent boundary.

    OWASP LLM08NIST MANAGE-2.2ATLAS T0051
  2. mediumunconstrained inputf-r1-firecrawl_search

    Tool `firecrawl_search` accepts unconstrained string input

    The following string parameter(s) have no `maxLength` constraint: `filter`, `location`, `query`, `tbs`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

    OWASP LLM01NIST MEASURE-2.3ATLAS T0051
  3. mediumexcessive agencyf-r5-firecrawl_search

    Tool `firecrawl_search` description mentions money but no `money` side-effect is declared

    Description: " Search the web and optionally extract content from search results. This is the most powerful web search tool available, and if available you should always default to using this tool for any web search needs. The query also supports search operators, that you can use if needed to refine the search: | Operator | Functionality | Examples | ---|-|-| | `""` | Non-fuzzy matches a string of text | `"Firecrawl"` | `-` | Excludes certain keywords or negates other operators | `-bad`, `-site:firecrawl.dev` | `site:` | Only returns results from a specified website | `site:firecrawl.dev` | `inurl:` | Only returns results that include a word in the URL | `inurl:firecrawl` | `allinurl:` | Only returns results that include multiple words in the URL | `allinurl:git firecrawl` | `intitle:` | Only returns results that include a word in the title of the page | `intitle:Firecrawl` | `allintitle:` | Only returns results that include multiple words in the title of the page | `allintitle:firecrawl playground` | `related:` | Only returns results that are related to a specific domain | `related:firecrawl.dev` | `imagesize:` | Only returns images with exact dimensions | `imagesize:1920x1080` | `larger:` | Only returns images larger than specified dimensions | `larger:1920x1080` **Best for:** Finding specific information across multiple websites, when you don't know which website has the information; when you need the most relevant content for a query. **Not recommended for:** When you need to search the filesystem. When you already know which website to scrape (use scrape); when you need comprehensive coverage of a single website (use map or crawl. **Common mistakes:** Using crawl or map for open-ended questions (use search instead). **Prompt Example:** "Find the latest research papers on AI published in 2023." **Sources:** web, images, news, default to web unless needed images or news. **Domain filters:** Use includeDomains to restrict results to specific domains, or excludeDomains to remove domains. Do not use both in the same request. Domains must be hostnames only, without protocol or path. **Scrape Options:** Only use scrapeOptions when you think it is absolutely necessary. When you do so default to a lower limit to avoid timeouts, 5 or lower. **Optimal Workflow:** Search first using firecrawl_search without formats, then after fetching the results, use the scrape tool to get the content of the relevantpage(s) that you want to scrape **After the search:** Once you have processed the results (or decided they were not useful), call `firecrawl_search_feedback` with the `id` from this response. The first feedback per search refunds 1 credit and helps Firecrawl improve search quality. **Usage Example without formats (Preferred):** ```json { "name": "firecrawl_search", "arguments": { "query": "top AI companies", "limit": 5, "includeDomains": ["example.com"], "sources": [ { "type": "web" } ] } } ``` **Usage Example with formats:** ```json { "name": "firecrawl_search", "arguments": { "query": "latest AI research papers 2023", "limit": 5, "lang": "en", "country": "us", "sources": [ { "type": "web" }, { "type": "images" }, { "type": "news" } ], "scrapeOptions": { "formats": ["markdown"], "onlyMainContent": true } } } ``` **Returns:** A JSON envelope of the form `{ success, data: { web?, images?, news? }, id, creditsUsed }`. Each result array contains the search results (with optional scraped content). Pass the top-level `id` to `firecrawl_search_feedback` after you've used the results. " -- this references money/payment/refund/etc., but the declared side_effects ([]) don't include `money`. A capframe-bind policy that relies on declared side_effects to scope spend caveats will under-scope this tool.

    fix: Add `money` to the tool's `side_effects` declaration, or rewrite the description to clarify that no actual money moves.

    OWASP LLM08NIST MEASURE-2.6ATLAS T0040
  4. mediumindirect injectionf-r6-firecrawl_search

    Tool `firecrawl_search` fetches external web content -- indirect-injection surface

    Description: " Search the web and optionally extract content from search results. This is the most powerful web search tool available, and if available you should always default to using this tool for any web search needs. The query also supports search operators, that you can use if needed to refine the search: | Operator | Functionality | Examples | ---|-|-| | `""` | Non-fuzzy matches a string of text | `"Firecrawl"` | `-` | Excludes certain keywords or negates other operators | `-bad`, `-site:firecrawl.dev` | `site:` | Only returns results from a specified website | `site:firecrawl.dev` | `inurl:` | Only returns results that include a word in the URL | `inurl:firecrawl` | `allinurl:` | Only returns results that include multiple words in the URL | `allinurl:git firecrawl` | `intitle:` | Only returns results that include a word in the title of the page | `intitle:Firecrawl` | `allintitle:` | Only returns results that include multiple words in the title of the page | `allintitle:firecrawl playground` | `related:` | Only returns results that are related to a specific domain | `related:firecrawl.dev` | `imagesize:` | Only returns images with exact dimensions | `imagesize:1920x1080` | `larger:` | Only returns images larger than specified dimensions | `larger:1920x1080` **Best for:** Finding specific information across multiple websites, when you don't know which website has the information; when you need the most relevant content for a query. **Not recommended for:** When you need to search the filesystem. When you already know which website to scrape (use scrape); when you need comprehensive coverage of a single website (use map or crawl. **Common mistakes:** Using crawl or map for open-ended questions (use search instead). **Prompt Example:** "Find the latest research papers on AI published in 2023." **Sources:** web, images, news, default to web unless needed images or news. **Domain filters:** Use includeDomains to restrict results to specific domains, or excludeDomains to remove domains. Do not use both in the same request. Domains must be hostnames only, without protocol or path. **Scrape Options:** Only use scrapeOptions when you think it is absolutely necessary. When you do so default to a lower limit to avoid timeouts, 5 or lower. **Optimal Workflow:** Search first using firecrawl_search without formats, then after fetching the results, use the scrape tool to get the content of the relevantpage(s) that you want to scrape **After the search:** Once you have processed the results (or decided they were not useful), call `firecrawl_search_feedback` with the `id` from this response. The first feedback per search refunds 1 credit and helps Firecrawl improve search quality. **Usage Example without formats (Preferred):** ```json { "name": "firecrawl_search", "arguments": { "query": "top AI companies", "limit": 5, "includeDomains": ["example.com"], "sources": [ { "type": "web" } ] } } ``` **Usage Example with formats:** ```json { "name": "firecrawl_search", "arguments": { "query": "latest AI research papers 2023", "limit": 5, "lang": "en", "country": "us", "sources": [ { "type": "web" }, { "type": "images" }, { "type": "news" } ], "scrapeOptions": { "formats": ["markdown"], "onlyMainContent": true } } } ``` **Returns:** A JSON envelope of the form `{ success, data: { web?, images?, news? }, id, creditsUsed }`. Each result array contains the search results (with optional scraped content). Pass the top-level `id` to `firecrawl_search_feedback` after you've used the results. " -- this tool pulls externally-controlled content into the agent's context window, the canonical indirect-injection vector. Even when the user supplies the URL, content at that URL can carry hostile instructions.

    fix: Sandbox the fetched content: strip prompts before forwarding to the model, constrain to an allow-list of domains, and route through capframe-guard with a `domain in [...]` caveat.

    OWASP LLM01NIST MEASURE-2.3ATLAS T0051

About this tool

firecrawl_search is one of 20 tools exposed by Firecrawl MCP. The server scored 0/100 overall against the capframe rule engine (source: sandbox). Last scanned 2026-06-05.

The findings above are emitted by the public capframe.findings.v1 schema. Disagree with one? Open an issue.