Skills
skills/changeflowhq/skills/stealth-browser/Gen Agent Trust Hub

stealth-browser

Fail

Audited by Gen Agent Trust Hub on Feb 19, 2026

Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • DATA_EXFILTRATION (HIGH): The skill is designed to launch the user's primary Google Chrome instance (real Chrome install) in a hidden state using AppleScript. This architecture provides the AI agent and its local scripts full access to the user's entire browser profile, including authenticated sessions, cookies, browsing history, and saved passwords via the Chrome DevTools Protocol (CDP). An agent could evaluate JavaScript to exfiltrate session tokens from sensitive sites where the user is already logged in.\n- COMMAND_EXECUTION (HIGH): The skill uses agent-browser to execute arbitrary JavaScript within the user's browser sessions via CDP. It also requires the installation of permanent hooks in ~/.claude/settings.json and ~/.claude/CLAUDE.md (webfetch-preflight.sh and webfetch-fallback.sh). These hooks automatically intercept and redirect web requests in future sessions without explicit user permission.\n- EXTERNAL_DOWNLOADS (MEDIUM): The skill depends on Node.js packages agent-browser and d2m from public registries. These dependencies are not from trusted sources and have not been audited for malicious code. Additionally, build instructions within the included extension files reference downloading code from github.com/gorhill/uBlock, which is not in the trusted repository list.\n- Obfuscation (MEDIUM): The skill includes 396 files, many of which contain large blocks of minified JavaScript (e.g., cm6.bundle.ubol.min.js). Minified code is functionally equivalent to obfuscation in a security context as it prevents effective auditing of the skill's logic.\n- PROMPT_INJECTION (LOW): As a scraping tool, the skill ingests untrusted HTML content from arbitrary websites and converts it to markdown for the agent (Category 8). This content can contain hidden instructions to manipulate the agent's behavior.\n
  • Ingestion points: Scraped web data processed via stealth-browser read.\n
  • Boundary markers: None provided; untrusted content is not clearly separated from agent instructions.\n
  • Capability inventory: Significant, including filesystem access, network operations, and browser control.\n
  • Sanitization: No evidence of input sanitization or filtering was found in the provided files.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 19, 2026, 07:23 AM