electron
Warn
Audited by Gen Agent Trust Hub on Apr 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill provides instructions to relaunch desktop applications with the
--remote-debugging-portflag. This action opens a local network port that grants programmatic control over the application's interface and internal data through the Chrome DevTools Protocol (CDP). - [DATA_EXFILTRATION]: Facilitates access to and extraction of data from sensitive applications. The skill explicitly identifies compatibility with communication platforms (Slack, Discord, Signal) and password managers (1Password), creating a risk path for exposing private communications or stored credentials if the agent is misused.
- [PROMPT_INJECTION]: The skill establishes a surface for indirect prompt injection (Category 8) by reading and interacting with untrusted data from communication apps.
- Ingestion points: Untrusted data enters the agent context via
agent-browser snapshotandagent-browser get text(SKILL.md). - Boundary markers: The skill does not implement delimiters or instructions to ignore embedded commands within the processed application data.
- Capability inventory: The agent can click, type, and fill forms within applications using the
agent-browsertool (SKILL.md). - Sanitization: No sanitization or validation of the content read from desktop applications is performed before it is processed by the agent.
- [EXTERNAL_DOWNLOADS]: The configuration allows the use of
npx agent-browser, which dynamically downloads and executes theagent-browsertool from the NPM registry at runtime.
Audit Metadata