chrome-cdp
Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
evalcommand allows the execution of arbitrary JavaScript within the context of the user's browser tabs, providing full control over the page's Document Object Model (DOM). - [COMMAND_EXECUTION]: The skill spawns persistent background processes (daemons) to manage communication with Chrome tabs. These processes use Unix domain sockets located in
/tmp, which could be accessible by other local users on a shared system. - [DATA_EXFILTRATION]: By interacting with the user's live browser session, the skill can access sensitive data from any open tab, including session cookies, local storage, and private content in authenticated applications (e.g., GitHub, Linear, or personal email).
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through the following surface:
- Ingestion points: The
snapandhtmlcommands inscripts/cdp.tsingest raw text or HTML content from external, untrusted web pages. - Boundary markers: None. Content is returned to the agent without delimiters or instructions to ignore embedded commands.
- Capability inventory: The skill provides high-privilege capabilities including arbitrary JavaScript execution (
eval), navigation (nav), and simulated user input (click,type). - Sanitization: None. The script extracts content directly from the DOM and provides it to the agent without filtering for potentially malicious instructions.
Audit Metadata