Skills
skills/zc277584121/marketing-skills/chrome-automation/Gen Agent Trust Hub

chrome-automation

Warn

Audited by Gen Agent Trust Hub on May 10, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill relies on the agent-browser CLI to control the user's local browser instance. It specifically utilizes the eval command to execute arbitrary JavaScript within the browser context (e.g., agent-browser --auto-connect eval '...'), which can be used to manipulate page state or bypass UI constraints.
  • [DATA_EXFILTRATION]: By connecting to the user's active Chrome session via --auto-connect, the agent gains access to sensitive state, including authentication cookies and the contents of all open tabs (visible via tab list). The instructions explicitly direct the agent to check existing tabs to reuse login states, exposing those URLs and titles to the model.
  • [REMOTE_CODE_EXECUTION]: The skill supports "Replaying Recordings" in JavaScript format (Puppeteer JS). This pattern involves interpreting or executing external logic provided in recording files, which could be exploited to run harmful operations within the browser environment.
  • [EXTERNAL_DOWNLOADS]: The skill requires the installation of the agent-browser package (npm install -g agent-browser), which is an external dependency from Vercel Labs. While originating from a well-known source, it provides the fundamental capability for the agent to control the user's local environment.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it is designed to read and interact with untrusted content from the public internet (e.g., social media comments, Reddit posts). Malicious instructions embedded in a web page could trick the agent into using its eval or click capabilities for unintended actions like transferring data or deleting accounts.
  • Ingestion points: agent-browser snapshot -i, get text body, and reading external recording files (JSON/JS).
  • Boundary markers: Missing. The skill relies on high-level instructions to "confirm with the user" rather than technical delimiters to isolate untrusted web data from the agent's command logic.
  • Capability inventory: Full browser automation (navigation, clicking, form filling) and arbitrary JavaScript execution (eval) via the agent-browser tool.
  • Sanitization: None. The skill processes raw page text and snapshots directly without filtering for potential instruction injection.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 10, 2026, 05:58 AM