splunk
Fail
Audited by Gen Agent Trust Hub on May 11, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [DATA_EXFILTRATION]: The skill contains logic to retrieve sensitive authentication material from an active browser session. Specifically, it extracts
document.cookieandsplunkweb_csrf_token_values from thesecurity-mozilla.splunkcloud.comdomain. This capability enables the agent to ride the user's existing session and perform actions that the user has not explicitly authorized, effectively bypassing security measures such as disabled API endpoints. - [COMMAND_EXECUTION]: The skill relies on the
browser-harnesstool to execute Python and JavaScript code blocks. This includes using thejs()function to run arbitrary code in the context of an authenticated browser tab and using Python scripts that can perform local file system operations, such as writing data to/tmp/spl.json. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests data from external Splunk logs without proper isolation.
- Ingestion points: Splunk log data retrieved via
browser-harnessand returned as a JSON result (SKILL.md). - Boundary markers: None identified; raw log data is processed directly.
- Capability inventory: The agent has the ability to execute shell commands, perform browser automation, and write to the local file system.
- Sanitization: None identified; there is no filtering or escaping of the log content before it is returned to the agent's context.
- [EXTERNAL_DOWNLOADS]: The skill directs the agent to retrieve its operational logic and API definitions from an external GitHub repository (
browser-use/browser-harness). This creates an external dependency on untrusted documentation that could be maliciously altered to influence the agent's behavior or provide dangerous instructions.
Recommendations
- AI detected serious security threats
Audit Metadata