chrome-extension-dev
Pass
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS] (SAFE): The documentation references standard package management commands (
npm create wxt@latest,npm install). These are routine for JavaScript development and point to well-known registries. - [COMMAND_EXECUTION] (SAFE): Command-line examples are restricted to standard development workflows such as
npm run dev,npm run build, andnpm run zip. No unauthorized or obfuscated shell commands are present. - [REMOTE_CODE_EXECUTION] (SAFE): The guide specifically includes security-focused documentation for Manifest V3, highlighting the prohibition of
eval()and remote script execution, ensuring developers bundle all code locally. - [DATA_EXFILTRATION] (SAFE): While the guide explains how to use sensitive APIs like
chrome.cookiesandchrome.tabs, it provides legitimate implementation patterns and emphasizes using the 'Minimal Permissions' principle to protect user data. - [INDIRECT_PROMPT_INJECTION] (LOW): The 'Browser Automation' pattern in
references/patterns.mddescribes using reference numbers for LLM element identification. This is a common pattern for agentic web browsing and does not represent an inherent vulnerability in the skill's own code.
Audit Metadata