web-search
Pass
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it retrieves and processes arbitrary content from the live web. Attackers could place malicious instructions on websites to influence the agent's behavior when it parses search results.
- Ingestion points:
server/search/bing.tsandserver/search/google.tsextract content usingpage.evaluateandpage.textContentfrom remote websites. - Boundary markers:
scripts/search.shattempts to isolate search results using Markdown headers and horizontal rules, which provides some structural separation but does not prevent the agent from following embedded instructions. - Capability inventory: The skill can spawn subprocesses via
server/playwright/browser.tsand execute code in the browser viaserver/playwright/operations.ts. - Sanitization: No explicit sanitization or filtering is performed on the text content extracted from the web before it is returned to the agent.
- [COMMAND_EXECUTION]: The bridge server uses
child_process.spawnto manage the lifecycle of the Google Chrome/Chromium browser instance. This is a core part of its intended functionality. - [DATA_EXFILTRATION]: As a search skill, it is designed to transmit data (web search results, screenshots, and page content) from external domains to the agent. All operations are restricted to localhost for the API server, but the browser itself accesses the public internet.
- [EXTERNAL_DOWNLOADS]: The
scripts/start-server.shscript automatically runsnpm installif thenode_modulesdirectory is missing or corrupted, which downloads dependencies from the public npm registry at runtime. - [DYNAMIC_EXECUTION]: The file
server/playwright/operations.tsincludes anevaluatefunction that uses the JavaScripteval()function within the browser context to execute arbitrary expressions. While not currently exposed via the server's public API endpoints, this utility poses a risk if future endpoints enable direct access to this function.
Audit Metadata