skills/dzianisv/skills/chrome-use/Gen Agent Trust Hub

chrome-use

Warn

Audited by Gen Agent Trust Hub on Jun 23, 2026

Risk Level: MEDIUMCREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The skill accesses the DevToolsActivePort file located within sensitive browser profile directories (e.g., ~/.config/google-chrome/ on Linux or ~/Library/Application Support/Google/Chrome/ on macOS) to establish a connection to the running browser instance.
  • [CREDENTIALS_UNSAFE]: Includes a dedicated cookies command that allows the agent to list, set, or clear browser cookies, which often contain active session identifiers and authentication tokens for logged-in services.
  • [COMMAND_EXECUTION]: Provides an eval command that uses the Chrome DevTools Protocol Runtime.evaluate method to execute arbitrary JavaScript code within the context of the active browser tab.
  • [COMMAND_EXECUTION]: The skill automatically spawns and manages a background proxy process (daemon) using node and child_process.spawn to maintain a persistent connection to the browser.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from web pages (via snapshot, get, and eval commands) and presents it to the agent without sanitization. An attacker could embed malicious instructions in a web page's text or metadata to influence the agent's behavior.
  • Ingestion points: Web page content accessed via snapshot, get text, get html, and eval commands.
  • Boundary markers: None implemented; page content is returned as raw text or JSON.
  • Capability inventory: The skill can write files (screenshots), execute browser-side JavaScript, and perform network operations via the browser.
  • Sanitization: No filtering or escaping of web content is performed before data is passed to the agent context.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 23, 2026, 12:32 AM
Security Audit — agent-trust-hub — chrome-use