chrome-devtools

The manifest describes a powerful debugging/automation interface that — when used as written — exposes high-impact sensitive sources (cookies, DOM, storage, local files) to sinks (network, filesystem, host execution). The primary supply-chain/security concern is the unpinned npx install of a remote CLI and the combination of arbitrary page script execution plus filesystem/network sinks. The manifest itself is not demonstrably malicious, but it documents an operational pattern that enables easy data exfiltration and host compromise if the remote package or scripts are malicious or compromised. Treat this as a medium-to-high risk integration: require pinned, verified installs, run in isolated environments, restrict evaluate_script, and control filesystem and network egress.