cdp-connect
Pass
Audited by Gen Agent Trust Hub on Jul 7, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local Node.js script to interact with the browser and performs file system operations.
- Evidence: The script
scripts/cdp.jsusesfs.writeFileSyncin thecmdScreenshotfunction to save browser captures to a user-provided file path. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to the ingestion of untrusted external content from browser sessions.
- Ingestion points: The
ax-tree,dom,console, andnetworkcommands inscripts/cdp.jsextract data (DOM structure, accessibility tree, and logs) from the current web page. - Boundary markers: The
SKILL.mdfile includes an "External content warning" explicitly advising the agent to treat outputs from external sources with skepticism and to seek user confirmation before acting on instructions found within them. - Capability inventory: The skill provides powerful capabilities including navigating to arbitrary URLs, executing arbitrary JavaScript in the browser context via
eval, and writing files to the disk. - Sanitization: The script mitigates injection from the agent into the browser by using
JSON.stringifyto escape arguments used in browser-side selectors and script execution.
Audit Metadata