Skills
skills/inkeep/team-skills/saas-session-recon/Gen Agent Trust Hub

saas-session-recon

Warn

Audited by Gen Agent Trust Hub on Apr 14, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The skill is designed to systematically extract sensitive session cookies (including HttpOnly cookies) and local storage tokens from the user's browser for multiple SaaS platforms. While instructions specify logging only prefixes, the agent has full access to active session credentials during execution.
  • [COMMAND_EXECUTION]: The skill uses the bun runtime via shell commands to execute dynamically generated JavaScript code strings that perform network requests and data processing.
  • [REMOTE_CODE_EXECUTION]: The skill injects and executes arbitrary ES5 JavaScript into active browser tabs using tools like javascript_tool to perform cookie enumeration, storage reads, and network interception.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. \n
  • Ingestion points: Data enters the context via read_page, read_network_requests, and read_console_messages (SKILL.md). \n
  • Boundary markers: Absent. \n
  • Capability inventory: Subprocess execution via bun -e, browser code execution via javascript_tool, and network access via fetch (SKILL.md). \n
  • Sanitization: Absent; the skill does not specify filtering or escaping of content retrieved from web pages or network headers before processing.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 14, 2026, 09:30 AM
Security Audit — agent-trust-hub — saas-session-recon