claude-chrome
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill instructs users to run
claudewith the--dangerously-skip-permissionsflag. This flag is a major security risk as it disables all user-confirmation prompts for file system access, network operations, and command execution, allowing the agent to perform privileged actions autonomously. - PROMPT_INJECTION (HIGH): The skill uses the
-p(or--print) flag to pass a natural language prompt directly into Claude Code. If this prompt is constructed using untrusted user input, an attacker can use indirect prompt injection to take control of the browser session or the host node's file system through Claude Code's native capabilities. - DATA_EXFILTRATION (HIGH): Since the skill facilitates browser automation on a node where a user is likely logged into various services (Chrome profile), an attacker could use the automated browser to scrape sensitive information from authenticated web sessions and exfiltrate it via network requests.
- EXTERNAL_DOWNLOADS (LOW): The skill requires the installation of
claude(Claude Code), which is a legitimate tool from a trusted source (Anthropic), but it relies on an external CLI that must be pre-installed on the host node. - INDIRECT_PROMPT_INJECTION (HIGH): (Category 8 Evaluation)
- Ingestion points: User-provided prompts passed to the
-pflag and content scraped from web pages visited by the browser. - Boundary markers: None provided in the command templates.
- Capability inventory: Claude Code has the ability to read/write files, execute shell commands, and perform network requests.
- Sanitization: No sanitization or input validation is suggested for the prompts or the web content processed by the agent.
Recommendations
- AI detected serious security threats
Audit Metadata