Lightpanda
Pass
Audited by Gen Agent Trust Hub on May 30, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The
scripts/install.shscript downloads platform-specific Lightpanda binaries from the author's official GitHub repository (lightpanda-io/browser). The installer implements a security check by fetching and verifying the SHA256 checksum of the binary via the GitHub API before granting execution permissions. - [COMMAND_EXECUTION]: The skill executes the
lightpandabinary to support its primary functions, including acting as an MCP (Model Context Protocol) server, performing CLI-based web fetches, and running a CDP (Chrome DevTools Protocol) server for automation. - [REMOTE_CODE_EXECUTION]: The skill provides an
evaluatetool and custom CDP methods that allow the agent to execute JavaScript code within the browser's page context. This is expected functionality for a web automation and scraping tool. - [INDIRECT_PROMPT_INJECTION]: The skill provides an interface to ingest and process content from arbitrary external URLs, creating a surface for indirect instructions to reach the agent.
- Ingestion points: Tools such as
goto,markdown, andfetch(documented inSKILL.md) ingest raw and processed data from web pages. - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the documentation or tool descriptions.
- Capability inventory: The skill enables JavaScript execution (
evaluate), form interaction (fill), and element clicking (click). - Sanitization: The skill returns page content (HTML/Markdown) to the agent without explicit sanitization or filtering of potential injection patterns.
Audit Metadata