Skills
skills/obra/superpowers-chrome/browsing/Gen Agent Trust Hub

browsing

Fail

Audited by Gen Agent Trust Hub on May 14, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The lib/screenshot.js file contains a command injection vulnerability in the downscaleImageIfNeeded function. The function passes the filepath variable directly into execSync calls to invoke system utilities such as sips, identify, and convert. Because the filepath is derived from the unsanitized payload provided to the screenshot action, a maliciously crafted filename (e.g., using shell command substitution) could allow arbitrary code execution on the host machine.
  • [REMOTE_CODE_EXECUTION]: As identified by automated scans, the test-raw.sh utility contains a pattern where the output of curl is piped directly into node. While used locally in this context to parse JSON with node -pe, this represents a dangerous execution pattern that could be exploited if the source URL or the local DevTools endpoint were compromised.
  • [PROMPT_INJECTION]: The skill exhibits a significant surface for indirect prompt injection (Category 8):
  • Ingestion points: Untrusted data enters the agent context through the navigate and extract actions, which browse and process arbitrary web pages.
  • Boundary markers: The instructions in SKILL.md lack explicit delimiters or warnings to ignore instructions embedded within the processed web content.
  • Capability inventory: The skill has powerful capabilities, including host-side shell execution (execSync in multiple library files), file system writes (screenshot and capture artifacts), and browser-side JavaScript execution (eval).
  • Sanitization: There is no evidence of sanitization or escaping of external content, and file paths for host-side operations are not validated.
  • [COMMAND_EXECUTION]: The lib/chrome-launcher-helpers.js file uses execSync to run lsof and netstat for process management. While typically used with numeric ports, the use of shell interpolation for system commands without strict validation of environment-derived inputs poses an unnecessary security risk.
  • [COMMAND_EXECUTION]: The lib/capture.js file performs automated file system operations, including fs.rmSync on session directories. While the directory paths are generated internally, the lack of path validation in a tool that interacts with remote web content requires careful monitoring to prevent potential file system abuse.
Recommendations
  • HIGH: Downloads and executes remote code from: http://127.0.0.1:9222/json - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 14, 2026, 11:18 PM
Security Audit — agent-trust-hub — browsing