browser-form-fill
Warn
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill uses
npx -y @claude-flow/cli@latestto execute code fetched from a remote registry at runtime. This practice circumvents local security auditing and can lead to the execution of unverified code if the remote package is compromised. - [EXTERNAL_DOWNLOADS]: External code is downloaded from the npm registry without version pinning. Using the
@latesttag makes the skill vulnerable to supply chain attacks, such as package hijacking or the introduction of malicious updates. - [COMMAND_EXECUTION]: The skill utilizes the Bash tool to run the
npxcommand for persisting form templates in a memory store. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its core functionality.
- Ingestion points: Untrusted content from web page accessibility snapshots (via
browser_snapshot) and user-supplied field maps are ingested into the agent context. - Boundary markers: There are no specified delimiters or 'ignore' instructions to prevent the agent from obeying commands embedded within web form labels or field values.
- Capability inventory: The skill has high capabilities, including full browser manipulation, file writing, and shell command execution.
- Sanitization: While the skill includes a PII gate (
aidefence_has_pii), it lacks sanitization or validation mechanisms to detect malicious natural language instructions hidden in external data.
Audit Metadata