chrome-cdp

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This code intentionally creates a persistent, unauthenticated local daemon (Unix socket) that can execute arbitrary JavaScript inside live browser pages (including pages with existing authenticated sessions), persist after the initial Chrome "Allow debugging" click, and write/read predictable files in /tmp — together these are backdoor-like capabilities that enable local remote-code-execution in the page context and trivial data exfiltration of cookies/DOM/tokens by any actor who can access the socket.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly connects to the user's live Chrome session and reads or executes content from arbitrary open tabs (user pages) — e.g., SKILL.md and scripts/cdp.ts expose commands like snap, eval, html, and nav that extract page HTML, run Runtime.evaluate in the page, and navigate to arbitrary URLs, which are untrusted third‑party web content and can materially influence agent actions.