chrome-relay

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This skill explicitly enables arbitrary JS execution in pages, access to network/console buffers, and includes step‑by‑step recipes for extracting and saving authentication tokens (and manipulating native messaging host installation), which are clear enablers of data exfiltration and credential theft and can be abused for remote compromise.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). Outsider free text can enter the LLM context via chrome-relay snapshot/get text/wait --text because these tools read the current page’s DOM/accessibility tree (public web content or other users’ authored content) and return it as readable text to the agent.