Sample audit report
This independent public-code sample is based on commit 980a76f31f93e865fe6c6636eb938995e1d3444b. It is not a commissioned review or private vulnerability disclosure, and no Firecrawl API calls, customer data, credentials, or live endpoint tests were used.
Out of scope: private infrastructure, production deployment config, live Firecrawl API behavior, customer data, and unpublished branches.
The server has a mature MCP shape: hosted cloud mode is separated from local/stdin use, OAuth access-token introspection exists for hosted MCP, Zod schemas are used heavily, MCP safety annotations are present, and cloud safe mode disables interactive browser actions.
The main risks are boundary clarity and regression proof. Remote transport behavior is spread across several docs and env vars, local file parsing can read arbitrary paths when enabled, monitor/update/delete paths need focused tests, and CI currently builds but does not exercise the advertised Jest test command.
| Area | Evidence | Risk Notes |
|---|---|---|
| Startup and transport | src/index.ts, VERSIONING.md, README.md | Defaults to stdio; HTTP stream starts from cloud, SSE local, or HTTP stream env flags. |
| Auth | src/index.ts | Hosted cloud requires OAuth/API key except secret-gated keyless sessions; local HTTP stream fails closed without credentials or a self-hosted URL. |
| Safe mode | src/index.ts | Cloud safe mode restricts scrape actions to wait/screenshot/scroll/scrape. |
| Monitor tools | src/monitor.ts | Create, update, delete, run, and inspect monitor resources; destructive annotations are present for update/delete. |
| Local file parsing | src/index.ts | Non-cloud only; reads a user-supplied local file path and posts it to the configured parse endpoint. |
| CI and tests | .github/workflows/ci.yml, package.json | CI builds only. Test script references Jest, but Jest is not declared at this commit. |
Evidence: src/index.ts, README.md, and VERSIONING.md.
Impact: Operators have to reconstruct bind address, auth source, host mode, and safe-mode behavior from several places. That is a common source of unsafe MCP remote deployments.
Recommended fix: Add a single transport exposure matrix and a startup summary log line covering mode, host, port, credential source category, and safe-mode state.
Evidence: firecrawl_parse resolves a supplied path, reads it, and uploads it to the configured self-hosted parse endpoint.
Impact: The tool is read-only for filesystem mutation, but a local MCP client can still ask it to read and upload local files. That should be treated as a sensitive local capability.
Recommended fix: Document trusted-client requirements and add an optional parse root allowlist such as FIRECRAWL_PARSE_ROOT.
Evidence: CI runs install and build. The package test script references Jest, but Jest is not present in dev dependencies and no first-party test files were found.
Impact: Build coverage does not prove OAuth failure paths, safe-mode action filtering, monitor annotations, feedback behavior, or parse boundaries.
Recommended fix: Fix the test runner dependency and run focused tests in CI.
Evidence: firecrawl_search_feedback and firecrawl_feedback submit additive account-associated feedback records.
Impact: The annotations are reasonable, but agents can retry or loop if terminal errors are ambiguous.
Recommended fix: Test 400/409 handling, daily cap handling, already-submitted handling, and missing credential behavior.
redactPII, zeroDataRetention, and lockdown are exposed as user-controllable options.pnpm run build passed at the audited commit.pnpm install --frozen-lockfile
pnpm run build
pnpm test
HTTP_STREAMABLE_SERVER=true node dist/index.jsThe paid sprint would go deeper than this public sample: live local reproduction where safe, focused tests written against the repo's actual runner, issue-ready remediation text, deployment-mode threat table, and a concise launch handoff for owners.