RedBookSkills
Warn
Audited by Gen Agent Trust Hub on May 30, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/chrome_launcher.pyexecutes shell commands to launch the Google Chrome browser with remote debugging enabled via the--remote-debugging-portflag.\n- [COMMAND_EXECUTION]: Theadd_accountfunction inscripts/account_manager.pyaccepts unsanitized user-provided account names to construct file system paths for Chrome profiles. This enables path traversal (e.g., using..in the name) and the creation of directories outside the intended base directory.\n- [EXTERNAL_DOWNLOADS]: Thescripts/image_downloader.pyscript downloads images and videos from arbitrary URLs using therequestslibrary without validation of the source domain.\n- [DATA_EXFILTRATION]: Bothscripts/cdp_publish.pyandscripts/publish_pipeline.pyallow users to specify a remote host for the browser debugging connection via the--hostparameter. This capability could be used to direct browser automation or session data (cookies) toward an external, attacker-controlled endpoint.\n- [PROMPT_INJECTION]: The skill instructions inSKILL.mddefine a workflow for fetching and summarizing content from user-provided URLs, which introduces an indirect prompt injection attack surface where malicious instructions in external content could manipulate agent behavior.\n - Ingestion points: External URL content processing described in
SKILL.md.\n - Boundary markers: None provided in the processing instructions to delimit external content.\n
- Capability inventory: Browser automation via
cdp_publish.py, file system writes viaimage_downloader.py, and network access.\n - Sanitization: No explicit validation or filtering of fetched content is defined.
Audit Metadata