lynx-devtool
Pass
Audited by Gen Agent Trust Hub on Jun 26, 2026
Risk Level: SAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides a CLI and library to manage device transports and communicate with the Lynx DevTool daemon via Node.js.
- [REMOTE_CODE_EXECUTION]: The skill facilitates executing JavaScript within Lynx applications using CDP methods such as Runtime.evaluate and Runtime.runScript.
- [DATA_EXFILTRATION]: The skill captures diagnostic information including console logs, screenshots, and heap snapshots, saving them to the local filesystem.
- [PROMPT_INJECTION]: The skill acts as an ingestion point for untrusted data from debugged applications, creating a surface for indirect prompt injection. (1) Ingestion points: Console logs collected via the get-console command, CDP command responses, and interaction recording data from the recorder command. (2) Boundary markers: None identified; there are no specific delimiters or instructions to the agent to ignore embedded commands within the ingested application data. (3) Capability inventory: Remote JavaScript execution on devices, file system writing (screenshots, heap snapshots), and network communication via device transports. (4) Sanitization: No evidence of sanitization, validation, or escaping of application-provided strings (such as log messages or property values) before they are returned to the agent context.
Audit Metadata