native-devtools-mcp-automation
Pass
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill facilitates the installation of the
native-devtools-mcppackage from NPM and provides instructions to clone and build a Rust binary from a GitHub repository (sh3ll3x3c/native-devtools-mcp). - [REMOTE_CODE_EXECUTION]: Instructs users to use
npx -yto download and immediately execute the MCP server. It also includes steps for building the executable from source usingcargo build, which involves downloading and executing build-time dependencies. - [COMMAND_EXECUTION]: Provides capabilities to launch native applications with arbitrary command-line arguments, control system input (keyboard and mouse), and execute arbitrary JavaScript expressions within a browser context using the
cdp_evaltool. - [DATA_EXFILTRATION]: Captures potentially sensitive information through full-screen and window-specific screenshots, OCR-based text extraction, accessibility tree snapshots, and DOM snapshots from browsers.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its processing of untrusted data from the user interface and the web.
- Ingestion points: Screen content via
take_screenshot,find_text, andtake_ax_snapshot; browser DOM content viacdp_take_dom_snapshot(File: SKILL.md). - Boundary markers: None identified in the instructions or tool documentation to help the agent distinguish between its own logic and instructions embedded in processed UI data.
- Capability inventory: Significant capabilities including
launch_app,type_text,click, andcdp_evalwhich can be misused if an attacker influences the agent via on-screen content (File: SKILL.md). - Sanitization: The skill does not describe any validation or sanitization of content extracted via OCR or the accessibility tree.
Audit Metadata