chatgpt-web-research

Pass

Audited by Gen Agent Trust Hub on Jun 24, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface because it ingests and processes data from an external web source (ChatGPT) that could contain untrusted instructions.
  • Ingestion points: Extracts assistant message content via the browser clipboard, DOM elements, or OCR (SKILL.md, Workflow step 10).
  • Boundary markers: Implements a unique completion marker ([[CHATGPT_WEB_RESEARCH_DONE_]]) to verify the end of a response, but does not provide instructions to the agent to disregard instructions embedded within the extracted data.
  • Capability inventory: Employs browser control (chrome:control-chrome), UI automation (computer-use:computer-use), and file system write access to the workspace (SKILL.md, Workflow step 11).
  • Sanitization: No specific mechanisms are mentioned for sanitizing or escaping the extracted content before it is saved to Markdown files.
  • [COMMAND_EXECUTION]: The skill requires the use of powerful interaction tools that permit the agent to control the browser and user interface.
  • Evidence: Explicitly directs the agent to load and use chrome:control-chrome and computer-use:computer-use to perform its tasks.
  • Evidence: Suggests using node_repl js for tool discovery if the standard browser client is unavailable.
  • [DATA_EXFILTRATION]: The skill automates the extraction of information from a private, authenticated session on the ChatGPT website.
  • Evidence: Accesses and claims existing browser tabs to read interaction history and new research results from the user's signed-in account.
  • Mitigation: Includes explicit Privacy Notes and instructions forbidding the inspection of cookies, local storage, passwords, or session stores.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 24, 2026, 07:30 AM
Security Audit — agent-trust-hub — chatgpt-web-research