extracting-browser-history-artifacts
Pass
Audited by Gen Agent Trust Hub on Jun 21, 2026
Risk Level: SAFEDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses and extracts highly sensitive information from browser profile directories, including browsing history, cookies, and login database paths (e.g.,
AppData/Local/Google/Chrome/User Data/DefaultandAppData/Roaming/Mozilla/Firefox/Profiles). Although intended for forensics, this represents significant data exposure of private user artifacts. - [EXTERNAL_DOWNLOADS]: The skill performs an external package installation using
pip install pyhindsight. This introduces a dependency on a third-party tool from an external registry. - [COMMAND_EXECUTION]: The workflow involves several sensitive command executions, including mounting filesystems (
mount -o ro,loop), recursive file copying of sensitive databases, and executing raw SQL queries viasqlite3to export data to CSV files. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted data (browser history URLs, page titles, and form entries) without sanitization.
- Ingestion points: Browser history and bookmark databases (
History,places.sqlite,Cookies) located inSKILL.mdSteps 2, 3, and 4. - Boundary markers: None. There are no delimiters or instructions to ignore embedded content within the extracted data.
- Capability inventory: Subprocess calls for
mount,cp,sqlite3, andpip installacross all workflow steps. - Sanitization: Absent. The SQL queries and subsequent shell commands process extracted string data (like URLs and titles) without escaping or validation.
Audit Metadata