Skills
skills/vaayne/agent-kit/tap-web/Gen Agent Trust Hub

tap-web

Fail

Audited by Gen Agent Trust Hub on May 11, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The installation instructions in SKILL.md promote a 'curl | sh' pattern: curl -fsSL https://raw.githubusercontent.com/vaayne/tap/main/scripts/install.sh | sh. This technique downloads and executes code from a remote server without verification, which is a significant security risk if the source or connection is compromised.
  • [COMMAND_EXECUTION]: The skill relies on executing subcommands of the tap CLI, such as tap browser evaluate <js>. This allows the agent to execute arbitrary JavaScript within a browser context, which can be abused to perform unauthorized actions on websites or interact with page internals in ways that bypass standard tool constraints.
  • [EXTERNAL_DOWNLOADS]: The skill facilitates the download of external site scripts via tap site sync, introducing a dependency on remote content that is updated outside of the core skill context.
  • [DATA_EXFILTRATION]: The skill provides tools for deep data extraction, including the ability to read and set browser cookies (tap browser cookies get|set|clear) and wait for specific network request bodies (tap browser network wait --body). If misused or if the agent is compromised, these capabilities can be used to harvest sensitive session tokens and credentials.
  • [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection because its primary function is to fetch and process untrusted external web content.
  • Ingestion points: Untrusted data enters the agent context through tap fetch, tap site, and browser interaction commands like tap browser text and tap browser snapshot.
  • Boundary markers: The instructions do not provide or mandate the use of delimiters or 'ignore embedded instructions' warnings when processing retrieved web content.
  • Capability inventory: The skill possesses extensive capabilities, including shell command execution, browser-side JavaScript execution, and network monitoring.
  • Sanitization: No explicit sanitization or validation of the fetched external content is required or described in the documentation, allowing malicious instructions hidden in web pages to be processed directly by the agent.
Recommendations
  • HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/vaayne/tap/main/scripts/install.sh - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
May 11, 2026, 09:46 PM
Security Audit — agent-trust-hub — tap-web