web-access-claude-skill
Warn
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill implements a local CDP proxy that allows for the execution of arbitrary JavaScript code within a browser session via the '/eval' endpoint.
- [DATA_EXFILTRATION]: The '/setFiles' endpoint allows the agent to select and upload local files from the user's system to external websites. Additionally, the '/screenshot' capability can be used to capture sensitive information from authenticated web pages.
- [COMMAND_EXECUTION]: The skill requires the execution of local shell scripts ('scripts/check-deps.sh') and starts a background Node.js process ('scripts/cdp-proxy.mjs') to handle browser communication.
- [EXTERNAL_DOWNLOADS]: Installation involves cloning a repository from GitHub ('github.com/eze-is/web-access') and references the Jina AI reader service ('r.jina.ai') for content extraction.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it fetches and processes untrusted data from web pages.
- Ingestion points: External data is ingested via WebSearch, WebFetch, and the CDP proxy's DOM extraction tools.
- Boundary markers: The skill lacks delimiters or specific instructions to the agent to ignore instructions embedded within the fetched content.
- Capability inventory: The skill provides capabilities for subprocess execution, arbitrary JavaScript execution, file writes, and network operations.
- Sanitization: There is no evidence of sanitization, validation, or filtering of the external data before it is presented to the agent.
Audit Metadata