cdp
Warn
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The server in sdk/repl.ts uses the eval() function to execute JavaScript code snippets received via an HTTP interface, allowing for arbitrary logic execution within the persistent process.
- [COMMAND_EXECUTION]: The skill utilizes bash scripts to manage background operations and suggests modifying system-level binary paths, which requires executing commands that may impact system security.
- [CREDENTIALS_UNSAFE]: The skill's connection logic reads from browser profile directories to retrieve debugging metadata. These directories contain sensitive information such as authentication cookies, saved passwords, and browsing history.
- [PROMPT_INJECTION]: The skill is a surface for indirect prompt injection because it processes untrusted web content and possesses the capability to both read and write data to the browser session. Ingestion points: Chrome tab content accessed via the CDP session. Boundary markers: Absent. Capability inventory: File system access via CLI, network access via CDP/Bun, and full browser control. Sanitization: Sanitization and escaping of external content before interpolation are not implemented within the SDK core.
Audit Metadata