RedBookSkills

Warn

Audited by Gen Agent Trust Hub on May 30, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/chrome_launcher.py executes shell commands to launch the Google Chrome browser with remote debugging enabled via the --remote-debugging-port flag.\n- [COMMAND_EXECUTION]: The add_account function in scripts/account_manager.py accepts unsanitized user-provided account names to construct file system paths for Chrome profiles. This enables path traversal (e.g., using .. in the name) and the creation of directories outside the intended base directory.\n- [EXTERNAL_DOWNLOADS]: The scripts/image_downloader.py script downloads images and videos from arbitrary URLs using the requests library without validation of the source domain.\n- [DATA_EXFILTRATION]: Both scripts/cdp_publish.py and scripts/publish_pipeline.py allow users to specify a remote host for the browser debugging connection via the --host parameter. This capability could be used to direct browser automation or session data (cookies) toward an external, attacker-controlled endpoint.\n- [PROMPT_INJECTION]: The skill instructions in SKILL.md define a workflow for fetching and summarizing content from user-provided URLs, which introduces an indirect prompt injection attack surface where malicious instructions in external content could manipulate agent behavior.\n
  • Ingestion points: External URL content processing described in SKILL.md.\n
  • Boundary markers: None provided in the processing instructions to delimit external content.\n
  • Capability inventory: Browser automation via cdp_publish.py, file system writes via image_downloader.py, and network access.\n
  • Sanitization: No explicit validation or filtering of fetched content is defined.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 30, 2026, 09:49 AM
Security Audit — agent-trust-hub — RedBookSkills