chrome-devtools
Warn
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [UNVERIFIABLE_DEPENDENCIES]: The
docker/docker-compose.ymlfile contains a command that executesnpm installinside the container environment every time thecdp-apiservice starts. This performs dynamic downloads of Node.js packages from the public npm registry at runtime without fixed integrity hashes. - [DYNAMIC_EXECUTION]: The file
docker/cdp-api-server.jsexposes an/evaluateREST endpoint that accepts a JavaScriptexpressionfrom the request body and executes it within the browser context usingeval(). This allows for arbitrary code execution within the browser environment. - [INDIRECT_PROMPT_INJECTION]: The skill is designed to ingest and process untrusted data from external web pages via features like
/navigate,/content,/console, and/network. - Ingestion points: Browser page navigation and content extraction in
cdp-api-server.jsandcdp_client.rb. - Boundary markers: None identified; untrusted web content is not delimited or sanitized before being returned to the agent.
- Capability inventory: The skill provides full browser control, including JS execution, cookie manipulation, and network monitoring.
- Sanitization: No sanitization or safety filtering is performed on data retrieved from external URLs.
- [PRIVILEGE_ESCALATION]: The
docker/docker-compose.ymlfile grants theSYS_ADMINcapability to the Chrome container. While often required for Chrome's sandbox in Docker, it represents a significant permission set within the container runtime environment. - [DATA_EXPOSURE]: The skill includes a hardcoded VNC password ('secret') in
SKILL.mdandscripts/vnc_url.sh. While this is intended for local debugging access to the Docker container, it represents a default credential pattern.
Audit Metadata