registry  /  firecrawl-cli  /  1.19.23

firecrawl-cli@1.19.23

Command-line interface for Firecrawl. Scrape, crawl, and extract data from any website directly from your terminal.

Static Scan Results

scanned 11d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 54 file(s), 461 KB of source, external domains: api.firecrawl.dev, api.github.com, api.openai.com, example.com, firecrawl.dev, github.com, mcp.firecrawl.dev, news.ycombinator.com, registry.npmjs.org, stripe.com, www.firecrawl.dev

Source & flagged code

5 flagged · loading source
dist/utils/auth.jsView file
72async function openBrowser(url) { L73: const { exec } = await Promise.resolve().then(() => __importStar(require('child_process'))); L74: const platform = process.platform;
High
Child Process

Package source references child process execution.

dist/utils/auth.jsView on unpkg · L72
49const config_1 = require("./config"); L50: const DEFAULT_API_URL = 'https://api.firecrawl.dev'; L51: const WEB_URL = 'https://firecrawl.dev'; ... L59: input: process.stdin, L60: output: process.stdout, L61: }); ... L72: async function openBrowser(url) { L73: const { exec } = await Promise.resolve().then(() => __importStar(require('child_process'))); L74: const platform = process.platform; L75: let command; ... L103: /** L104: * Generate a PKCE code verifier (random string, base64url encoded)
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/utils/auth.jsView on unpkg · L49
dist/commands/skills-native.jsView file
11exports.hasNpx = hasNpx; L12: const child_process_1 = require("child_process"); L13: const fs_1 = __importDefault(require("fs")); ... L203: function detectInstalledAgents() { L204: const home = os_1.default.homedir(); L205: return AGENTS.filter((agent) => { ... L242: function cloneRepo(tmpDir, repo) { L243: const repoUrl = `https://github.com/${repo}.git`; L244: if (hasGit()) { ... L363: if (fs_1.default.existsSync(lockFilePath)) { L364: lock = JSON.parse(fs_1.default.readFileSync(lockFilePath, 'utf-8')); L365: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/commands/skills-native.jsView on unpkg · L11
dist/commands/init.jsView file
296try { L297: (0, child_process_1.execSync)('npm install -g firecrawl-cli', { stdio: 'inherit' }); L298: console.log(` ${green}✓${reset} CLI installed globally\n`);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/init.jsView on unpkg · L296
45exports.handleInitCommand = handleInitCommand; L46: const child_process_1 = require("child_process"); L47: const auth_1 = require("../utils/auth"); ... L121: * inheriting it, so users see a single line per repo. Returns the number of L122: * skills installed (parsed from the captured stdout), or null if unknown. L123: * ... L139: if (isTty) { L140: process.stdout.write(` ${dim}↓ Installing ${label}...${reset}`); L141: } ... L199: console.log(` ${dim}Connect & interact with the web ${reset}${dim}(direct or in your AI agent):${reset}`); L200: console.log(` ${arrow} ${bold}Scrape${reset} "Scrape the pricing page of stripe.com" ${dim}firecrawl scrape https://stripe.com/pricing${reset}`); L201: console.log(` ${arrow} ${bold}Search${reset} "Search for the latest stories in AI" ${dim}firecrawl search "latest stories in AI"${reset}`);
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/commands/init.jsView on unpkg · L45

Findings

3 High4 Medium6 Low
HighChild Processdist/utils/auth.js
HighSandbox Evasion Gated Capabilitydist/utils/auth.js
HighRuntime Package Installdist/commands/init.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/commands/init.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/commands/skills-native.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings