visual-qa
Fail
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [CREDENTIALS_UNSAFE] (HIGH): The skill instructions in
resources/gemini-review.mddirect the agent to extract theGEMINI_API_KEYfrom a sensitive file path (.env.local) using shell commands (grep,cut). Accessing environment files is a high-severity finding as these files frequently contain multiple secrets that could be exposed. - [COMMAND_EXECUTION] (MEDIUM): The skill utilizes the bash tool to execute shell pipelines and launch Node.js scripts (
node tests/visual-review.mjs). This execution model provides a vector for local code execution based on instructions provided within the skill's resources. - [DATA_EXFILTRATION] (LOW): The skill captures browser screenshots and GIF recordings and sends them to the Gemini API (
gemini-2.0-flash). While Google is a trusted source and this is the primary purpose of the skill, it involves the transmission of potentially sensitive application data to an external service. - [PROMPT_INJECTION] (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8) because it processes untrusted data from web applications.
- Ingestion points: Browser content (HTML, text) and visual data (screenshots/GIFs) ingested via the
claude-in-chromeMCP tools. - Boundary markers: Absent; the skill interpolates action captions and visual data directly into the Gemini review prompt without delimiters or instructions to ignore embedded commands.
- Capability inventory: Includes browser navigation (
navigate), screenshot/GIF capture, filesystem access (readFileSync), and shell execution (bash). - Sanitization: No sanitization or filtering of the web content or visual evidence is performed before processing.
Recommendations
- AI detected serious security threats
Audit Metadata