skills/jmagar/lab/chrome/Gen Agent Trust Hub

chrome

Fail

Audited by Gen Agent Trust Hub on Jun 19, 2026

Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The cdp() helper function in SKILL.md assembles an SSH command by directly interpolating the $method and $params variables into a single-quoted string. This implementation is vulnerable to shell command injection if an attacker-influenced input contains a single quote followed by malicious shell commands.
  • [COMMAND_EXECUTION]: The cdp-call.ps1 PowerShell script manually constructs JSON-RPC payloads using string concatenation. This lack of proper JSON serialization allows for JSON-RPC injection, which could be used to trigger unauthorized browser functions.
  • [DATA_EXFILTRATION]: The skill provides explicit commands and scripts to extract highly sensitive data from the user's active browser session, including all cookies (Network.getCookies), page content, and screenshots.
  • [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection. 1. Ingestion points: Browser tab content, console history, and DOM snapshots via chrome_eval and cdp calls. 2. Boundary markers: No delimiters or instructions are used to prevent the agent from obeying commands embedded in the retrieved web data. 3. Capability inventory: The skill possesses powerful capabilities including remote shell execution via ssh, file transfers via scp, and arbitrary JavaScript execution within the user's browser context. 4. Sanitization: There is no validation or sanitization of the data retrieved from external web sources before it is processed or used to inform subsequent agent actions.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jun 19, 2026, 12:38 PM
Security Audit — agent-trust-hub — chrome