kernel-cli
Pass
Audited by Gen Agent Trust Hub on May 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides extensive facilities for executing arbitrary commands inside remote browser VMs. This includes the ability to run processes as root, install system packages via package managers, and manage background services. Commands like
kernel browsers process execandkernel browsers playwright executeallow for direct shell and automation script execution. - [DATA_EXFILTRATION]: The skill facilitates full interaction with the browser VM filesystem, including reading, writing, and downloading files. It also provides examples for using sensitive local file paths, such as private SSH keys (
~/.ssh/id_ed25519), to facilitate VM authentication and port forwarding. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface due to its ability to ingest and process untrusted data from the web and external files.
- Ingestion points: Untrusted content enters the agent context through web scraping results, application deployment source files, and action payloads.
- Boundary markers: There are no defined delimiters or instructions to the agent to disregard embedded commands within processed data.
- Capability inventory: High-privilege tools are available to the agent, including remote shell access, browser automation scripts, and the ability to modify the VM filesystem.
- Sanitization: The skill lacks explicit sanitization or validation protocols for data retrieved from external sources before it is interpreted or acted upon.
Audit Metadata