extracting-browser-history-artifacts

Pass

Audited by Gen Agent Trust Hub on Jun 21, 2026

Risk Level: SAFEDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The skill accesses and extracts highly sensitive information from browser profile directories, including browsing history, cookies, and login database paths (e.g., AppData/Local/Google/Chrome/User Data/Default and AppData/Roaming/Mozilla/Firefox/Profiles). Although intended for forensics, this represents significant data exposure of private user artifacts.
  • [EXTERNAL_DOWNLOADS]: The skill performs an external package installation using pip install pyhindsight. This introduces a dependency on a third-party tool from an external registry.
  • [COMMAND_EXECUTION]: The workflow involves several sensitive command executions, including mounting filesystems (mount -o ro,loop), recursive file copying of sensitive databases, and executing raw SQL queries via sqlite3 to export data to CSV files.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted data (browser history URLs, page titles, and form entries) without sanitization.
  • Ingestion points: Browser history and bookmark databases (History, places.sqlite, Cookies) located in SKILL.md Steps 2, 3, and 4.
  • Boundary markers: None. There are no delimiters or instructions to ignore embedded content within the extracted data.
  • Capability inventory: Subprocess calls for mount, cp, sqlite3, and pip install across all workflow steps.
  • Sanitization: Absent. The SQL queries and subsequent shell commands process extracted string data (like URLs and titles) without escaping or validation.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 21, 2026, 04:05 PM
Security Audit — agent-trust-hub — extracting-browser-history-artifacts