browser-form-fill
Warn
Audited by Gen Agent Trust Hub on May 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the
Bashtool to execute shell commands, specifically for managing form templates using a CLI utility. - [EXTERNAL_DOWNLOADS]: The skill fetches the
@claude-flow/clipackage from the NPM registry during its operation. - [REMOTE_CODE_EXECUTION]: The use of
npx -y @claude-flow/cli@latestcauses the execution of code downloaded from a remote registry at runtime. The use of the@latesttag introduces risks associated with unpinned dependencies and potential supply chain vulnerabilities. - [DATA_EXFILTRATION]: The skill transmits site metadata and form structures (field mappings and selectors) to an external memory store via the CLI tool. If sensitive field names or context are present in the mapping, they are recorded externally.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through web content processing.
- Ingestion points: Web page structure and accessibility labels are ingested via the
browser_snapshottool as described in SKILL.md. - Boundary markers: No delimiters or instructions are used to distinguish untrusted web content from internal logic during processing.
- Capability inventory: The skill has access to
Bash,Write, and browser automation tools (fill, click, type) which could be abused if the agent follows instructions hidden in a web form. - Sanitization: There is no evidence of filtering or sanitizing labels and descriptors retrieved from external sites before they are used to guide the agent's behavior, despite having a PII gate for input data.
Audit Metadata