chrome
Fail
Audited by Gen Agent Trust Hub on Jun 19, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The cdp() helper function in SKILL.md assembles an SSH command by directly interpolating the $method and $params variables into a single-quoted string. This implementation is vulnerable to shell command injection if an attacker-influenced input contains a single quote followed by malicious shell commands.
- [COMMAND_EXECUTION]: The cdp-call.ps1 PowerShell script manually constructs JSON-RPC payloads using string concatenation. This lack of proper JSON serialization allows for JSON-RPC injection, which could be used to trigger unauthorized browser functions.
- [DATA_EXFILTRATION]: The skill provides explicit commands and scripts to extract highly sensitive data from the user's active browser session, including all cookies (Network.getCookies), page content, and screenshots.
- [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection. 1. Ingestion points: Browser tab content, console history, and DOM snapshots via chrome_eval and cdp calls. 2. Boundary markers: No delimiters or instructions are used to prevent the agent from obeying commands embedded in the retrieved web data. 3. Capability inventory: The skill possesses powerful capabilities including remote shell execution via ssh, file transfers via scp, and arbitrary JavaScript execution within the user's browser context. 4. Sanitization: There is no validation or sanitization of the data retrieved from external web sources before it is processed or used to inform subsequent agent actions.
Recommendations
- AI detected serious security threats
Audit Metadata