Skills
skills/cevatkerim/claude-skills/chrome-automation/Gen Agent Trust Hub

chrome-automation

Fail

Audited by Gen Agent Trust Hub on Apr 1, 2026

Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: Hardcoded VNC password 'vnc123' is used in both setup.sh and start-chrome-automation.sh to configure the remote access server.
  • [COMMAND_EXECUTION]: The start-chrome-automation.sh script configures the VNC server with -localhost no, exposing the desktop session and browser to the network with only a weak, hardcoded password for protection.
  • [COMMAND_EXECUTION]: The skill launches Google Chrome with the --no-sandbox flag while running as root, which disables the browser's primary security isolation mechanism and increases the risk of system compromise from malicious web content.
  • [COMMAND_EXECUTION]: The setup.sh script installs multiple system-level packages and modifies the system's binary search path by creating symlinks in /usr/local/bin.
  • [COMMAND_EXECUTION]: The chrome-a11y and chrome-monitor.py scripts utilize the AT-SPI2 accessibility bus to programmatically interact with UI elements, which can be used to bypass user confirmation dialogs or auto-click buttons.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 1, 2026, 02:03 PM