Skills
skills/aradotso/devtools-skills/browser-devtools-mcp-vscode/Gen Agent Trust Hub

browser-devtools-mcp-vscode

Warn

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The execute tool enables the execution of arbitrary JavaScript code strings within the browser context. This allows the AI to perform complex logic, direct interactions with the Playwright page object, and access Node.js environment variables at runtime.
  • [DATA_EXFILTRATION]: The skill provides tools like screenshot, network_requests, and accessibility_snapshot that can capture visual data, network logs, and DOM structures. If the agent navigates to sensitive internal or private web pages, these capabilities can be used to exfiltrate private information.
  • [CREDENTIALS_UNSAFE]: Documentation within the skill explicitly encourages accessing sensitive information through process.env (e.g., process.env.TEST_PASSWORD) within the execute tool's code block, which could lead to the exposure of secret environment variables to the AI or potentially to the sites being automated.
  • [COMMAND_EXECUTION]: The configuration setting browserDevtoolsMcp.browser.executablePath allows the user or an automated process to specify the path to a browser binary. A malicious actor could potentially point this to a non-browser executable to achieve arbitrary command execution when the extension attempts to start the browser.
  • [PROMPT_INJECTION]: As the skill is designed to navigate and inspect arbitrary web content, it is vulnerable to indirect prompt injection. Malicious instructions embedded in a webpage's HTML, metadata, or comments could be processed by the AI assistant and used to hijack its behavior.
  • Ingestion points: The navigate tool allows the agent to load content from any URL into the context (SKILL.md).
  • Boundary markers: None identified in the provided documentation for separating website content from agent instructions.
  • Capability inventory: The skill includes powerful capabilities such as arbitrary JavaScript execution (execute), file writing via screenshots (screenshot), and network inspection (network_requests).
  • Sanitization: There is no evidence of sanitization or filtering of external website content before it is processed by the AI.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 19, 2026, 01:48 AM