Skills
skills/eze-is/eze-skills/web-access/Gen Agent Trust Hub

web-access

Warn

Audited by Gen Agent Trust Hub on Mar 18, 2026

Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: Indirect Prompt Injection Risk. The skill is designed to ingest and process content from arbitrary web pages (via Jina, WebFetch, or CDP). This creates a surface where malicious instructions embedded in web content could be processed by the agent and executed using its browser control capabilities.\n
  • Ingestion points: Web content retrieved through r.jina.ai, WebFetch, or the CDP Proxy (SKILL.md).\n
  • Boundary markers: Not implemented in instructions.\n
  • Capability inventory: Browser navigation, element clicking, arbitrary JavaScript execution, and screenshot capture (scripts/cdp-proxy.mjs).\n
  • Sanitization: No sanitization or filtering of retrieved web content before processing.\n- [PROMPT_INJECTION]: Behavioral override instructions. The 'Browsing Philosophy' section in SKILL.md contains instructions that encourage the agent to operate autonomously ('solve it yourself') and bypass UI obstacles ('popups, login walls, ads') without alerting the user. This reduces human-in-the-loop oversight during potentially sensitive browser operations.\n- [COMMAND_EXECUTION]: Dynamic JavaScript execution. The scripts/cdp-proxy.mjs script establishes a proxy to the Chrome DevTools Protocol (CDP), exposing an /eval endpoint. This allows the agent to execute arbitrary JavaScript code within the context of the user's active browser tabs, providing full control over the session data and DOM.\n- [EXTERNAL_DOWNLOADS]: Interaction with external reader service. The skill fetches web content through r.jina.ai, a well-known service that converts web pages to LLM-friendly markdown.\n- [DATA_EXFILTRATION]: Unrestricted local file write. The /screenshot endpoint in scripts/cdp-proxy.mjs allows the agent to save images to a file path provided as a query parameter. The script performs no validation on the provided path, allowing file writes to arbitrary locations accessible by the user running the proxy.\n- [COMMAND_EXECUTION]: Local script execution. The skill executes local bash and Node.js scripts (scripts/check-deps.sh and scripts/cdp-proxy.mjs) to perform environment checks and manage the browser proxy.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 18, 2026, 06:25 AM
Security Audit — agent-trust-hub — web-access