chrome-devtools
Fail
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructs the agent to run 'bunx -y chrome-devtools-mcp@latest' and 'go install github.com/f/mcptools/cmd/mcptools@latest'. These commands download and execute code from unverified third-party repositories without version pinning or integrity validation.
- [EXTERNAL_DOWNLOADS]: Dependencies are retrieved directly from public npm and GitHub registries at runtime. This behavior bypasses security reviews and exposes the host system to potential supply chain attacks.
- [COMMAND_EXECUTION]: The skill executes complex bash commands using 'pkill', 'sleep', and 'timeout' to manage browser processes. Piping unvalidated inputs into an interactive 'mcp shell' increases the risk of command injection if URLs or scripts are maliciously formed.
- [PROMPT_INJECTION]: The skill navigates to external URLs and retrieves content using 'take_snapshot' and 'list_console_messages'. This ingestion of untrusted data lacks boundary markers or sanitization, creating a surface for indirect prompt injection. Ingestion points: 'take_snapshot', 'list_console_messages'. Boundary markers: Absent. Capability inventory: 'Bash' subprocesses and 'evaluate_script' JavaScript execution. Sanitization: Absent.
- [DATA_EXFILTRATION]: Browser automation tools can access sensitive data on the local network or internal services. Snapshots and network logs could expose session tokens, PII, or internal credentials to the agent's context if the browser interacts with sensitive sites.
Recommendations
- AI detected serious security threats
Audit Metadata