web-access
Warn
Audited by Gen Agent Trust Hub on Jun 20, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands to manage a persistent Node.js proxy (
cdp-proxy.mjs). This proxy is launched in a detached background process. - [REMOTE_CODE_EXECUTION]: The local proxy exposes an
/evalendpoint that allows the execution of arbitrary JavaScript within the context of the user's browser. This capability is used by the agent to interact with and extract data from web pages. - [COMMAND_EXECUTION]: The skill utilizes a
/setFilesendpoint in its local proxy which uses theDOM.setFileInputFilesprotocol to programmatically upload local files to websites, bypassing standard browser file dialogs. - [REMOTE_CODE_EXECUTION]: The proxy implementation includes a 'Port Guard' feature that uses the
Fetch.enableCDP domain to intercept and block local network requests to the Chrome debugging port from within web pages, which is a technique used to evade bot detection. - [INDIRECT_PROMPT_INJECTION]: The skill is designed to ingest and process data from arbitrary external websites (via
WebFetch,curl, and CDP). - Ingestion points: Web content retrieved from any URL via the browser or search tools.
- Boundary markers: None implemented in the provided scripts or instructions.
- Capability inventory: Includes shell command execution (
Bash), file writing (Write), arbitrary JavaScript execution (/eval), and local file uploads (/setFiles). - Sanitization: No evidence of input sanitization or validation before processing web content.
Audit Metadata