umbraco-chrome-navigation

Pass

Audited by Gen Agent Trust Hub on Jul 6, 2026

Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill utilizes dynamic code execution by instructing the agent to use eval(localStorage.__umbSrc) to re-inject its helper toolkit after page reloads or navigation. This persists the script's logic within the browser session.
  • [DATA_EXFILTRATION]: The documentation explicitly identifies platform 'privacy guards' that block bulk extraction of URLs and Base64 data. It instructs the agent to return only element labels and coordinates as a method to circumvent these automated data leakage protections.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting and processing untrusted data from the Umbraco backoffice DOM.
  • Ingestion points: The __umb._walk and __umb.snapshot functions perform a depth-first search of all DOM elements, including those in shadow roots, and extract text from labels, placeholders, and roles into the agent's context (SKILL.md, scripts/umbraco-chrome-helpers.js).
  • Boundary markers: There are no explicit boundary markers or instructions for the agent to ignore potentially malicious content found within element labels or UI text.
  • Capability inventory: The skill provides capabilities to perform synthetic clicks (el.click()), fill input fields (el.value), and trigger trusted clicks via coordinate-based computer tool interaction.
  • Sanitization: No sanitization or validation is performed on the text extracted from the DOM before it is used for matching or returned to the agent.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 6, 2026, 09:17 AM
Security Audit — agent-trust-hub — umbraco-chrome-navigation