web-search

Pass

Audited by Gen Agent Trust Hub on Jun 23, 2026

Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it retrieves and processes arbitrary content from the live web. Attackers could place malicious instructions on websites to influence the agent's behavior when it parses search results.
  • Ingestion points: server/search/bing.ts and server/search/google.ts extract content using page.evaluate and page.textContent from remote websites.
  • Boundary markers: scripts/search.sh attempts to isolate search results using Markdown headers and horizontal rules, which provides some structural separation but does not prevent the agent from following embedded instructions.
  • Capability inventory: The skill can spawn subprocesses via server/playwright/browser.ts and execute code in the browser via server/playwright/operations.ts.
  • Sanitization: No explicit sanitization or filtering is performed on the text content extracted from the web before it is returned to the agent.
  • [COMMAND_EXECUTION]: The bridge server uses child_process.spawn to manage the lifecycle of the Google Chrome/Chromium browser instance. This is a core part of its intended functionality.
  • [DATA_EXFILTRATION]: As a search skill, it is designed to transmit data (web search results, screenshots, and page content) from external domains to the agent. All operations are restricted to localhost for the API server, but the browser itself accesses the public internet.
  • [EXTERNAL_DOWNLOADS]: The scripts/start-server.sh script automatically runs npm install if the node_modules directory is missing or corrupted, which downloads dependencies from the public npm registry at runtime.
  • [DYNAMIC_EXECUTION]: The file server/playwright/operations.ts includes an evaluate function that uses the JavaScript eval() function within the browser context to execute arbitrary expressions. While not currently exposed via the server's public API endpoints, this utility poses a risk if future endpoints enable direct access to this function.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 23, 2026, 06:06 AM
Security Audit — agent-trust-hub — web-search