ghost-browser
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the Playwright framework and the manual download of the Chromium browser binary via the command
playwright install chromiumto perform automation tasks. - [COMMAND_EXECUTION]: The skill operates through several Python scripts (e.g.,
linkedin_engage.py,universal_scraper.py,stats_tracker.py) that execute shell commands to automate browser sessions, interact with local files, and perform network operations. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8).
- Ingestion points: Data is ingested from external websites via
universal_scraper.pyand from the LinkedIn feed vialinkedin_engage.py. - Boundary markers: No explicit delimiters or instructions are used to distinguish between system instructions and untrusted data from the browser.
- Capability inventory: The skill can perform sensitive write actions, including publishing LinkedIn posts, applying for jobs, and sending notifications via Telegram through
stats_tracker.py. - Sanitization: There is no evidence of sanitization or filtering of the scraped content before it is passed to the OpenAI API (GPT-4o-mini) for generating comments or cover letters.
- [DATA_EXPOSURE]: The skill's architecture requires the manual extraction and provision of sensitive session cookies (
LINKEDIN_LI_AT,TWITTER_AUTH_TOKEN,TWITTER_CT0). While this is a functional requirement for the skill's purpose, the handling of these high-value credentials by an AI agent increases the risk of accidental exposure or misuse.
Audit Metadata