chatgpt-web-research
Pass
Audited by Gen Agent Trust Hub on Jun 24, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface because it ingests and processes data from an external web source (ChatGPT) that could contain untrusted instructions.
- Ingestion points: Extracts assistant message content via the browser clipboard, DOM elements, or OCR (SKILL.md, Workflow step 10).
- Boundary markers: Implements a unique completion marker ([[CHATGPT_WEB_RESEARCH_DONE_]]) to verify the end of a response, but does not provide instructions to the agent to disregard instructions embedded within the extracted data.
- Capability inventory: Employs browser control (chrome:control-chrome), UI automation (computer-use:computer-use), and file system write access to the workspace (SKILL.md, Workflow step 11).
- Sanitization: No specific mechanisms are mentioned for sanitizing or escaping the extracted content before it is saved to Markdown files.
- [COMMAND_EXECUTION]: The skill requires the use of powerful interaction tools that permit the agent to control the browser and user interface.
- Evidence: Explicitly directs the agent to load and use chrome:control-chrome and computer-use:computer-use to perform its tasks.
- Evidence: Suggests using node_repl js for tool discovery if the standard browser client is unavailable.
- [DATA_EXFILTRATION]: The skill automates the extraction of information from a private, authenticated session on the ChatGPT website.
- Evidence: Accesses and claims existing browser tabs to read interaction history and new research results from the user's signed-in account.
- Mitigation: Includes explicit Privacy Notes and instructions forbidding the inspection of cookies, local storage, passwords, or session stores.
Audit Metadata