umbraco-chrome-navigation
Pass
Audited by Gen Agent Trust Hub on Jul 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes dynamic code execution by instructing the agent to use
eval(localStorage.__umbSrc)to re-inject its helper toolkit after page reloads or navigation. This persists the script's logic within the browser session. - [DATA_EXFILTRATION]: The documentation explicitly identifies platform 'privacy guards' that block bulk extraction of URLs and Base64 data. It instructs the agent to return only element labels and coordinates as a method to circumvent these automated data leakage protections.
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting and processing untrusted data from the Umbraco backoffice DOM.
- Ingestion points: The
__umb._walkand__umb.snapshotfunctions perform a depth-first search of all DOM elements, including those in shadow roots, and extract text from labels, placeholders, and roles into the agent's context (SKILL.md, scripts/umbraco-chrome-helpers.js). - Boundary markers: There are no explicit boundary markers or instructions for the agent to ignore potentially malicious content found within element labels or UI text.
- Capability inventory: The skill provides capabilities to perform synthetic clicks (
el.click()), fill input fields (el.value), and trigger trusted clicks via coordinate-based computer tool interaction. - Sanitization: No sanitization or validation is performed on the text extracted from the DOM before it is used for matching or returned to the agent.
Audit Metadata