chrome-use
Warn
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses the
DevToolsActivePortfile located within sensitive browser profile directories (e.g.,~/.config/google-chrome/on Linux or~/Library/Application Support/Google/Chrome/on macOS) to establish a connection to the running browser instance. - [CREDENTIALS_UNSAFE]: Includes a dedicated
cookiescommand that allows the agent to list, set, or clear browser cookies, which often contain active session identifiers and authentication tokens for logged-in services. - [COMMAND_EXECUTION]: Provides an
evalcommand that uses the Chrome DevTools ProtocolRuntime.evaluatemethod to execute arbitrary JavaScript code within the context of the active browser tab. - [COMMAND_EXECUTION]: The skill automatically spawns and manages a background proxy process (daemon) using
nodeandchild_process.spawnto maintain a persistent connection to the browser. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from web pages (via
snapshot,get, andevalcommands) and presents it to the agent without sanitization. An attacker could embed malicious instructions in a web page's text or metadata to influence the agent's behavior. - Ingestion points: Web page content accessed via
snapshot,get text,get html, andevalcommands. - Boundary markers: None implemented; page content is returned as raw text or JSON.
- Capability inventory: The skill can write files (screenshots), execute browser-side JavaScript, and perform network operations via the browser.
- Sanitization: No filtering or escaping of web content is performed before data is passed to the agent context.
Audit Metadata