The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill is designed to ingest and process untrusted data from any website the user visits.
Ingestion points: Web page content (DOM), console logs, and network request monitoring.
Boundary markers: None identified in the provided instructions to differentiate between user intent and malicious instructions embedded in web pages.
Capability inventory: Includes high-risk operations such as evaluate_script (JS execution), fill_form (automated data entry), and file writing (Save as CSV).
Sanitization: No evidence of sanitization for data extracted from web pages before it is processed by the agent.
[Unverifiable Dependencies & Remote Code Execution] (HIGH): The skill instructs the user to run npx chrome-devtools-mcp@latest.
Evidence: Executing unversioned packages directly from NPM via npx allows for the execution of arbitrary code that could be modified at the source without user notice.
[Persistence Mechanisms] (HIGH): The skill includes a 'Scheduled Tasks' feature.
Evidence: Allows for recurring browser automation (daily, weekly, etc.), which can be used to maintain long-term access or perform repeated malicious actions across sessions.
[Dynamic Execution] (HIGH): The evaluate_script tool allows for the execution of arbitrary JavaScript within the browser context.
Evidence: Malicious instructions could use this to bypass security controls or exfiltrate session tokens from authenticated sites like Gmail or Notion.
[Data Exposure & Exfiltration] (MEDIUM): The skill has explicit access to authenticated browser sessions and can read sensitive data.
Evidence: Specifically mentions interacting with Gmail, Google Docs, and CRMs, with the ability to 'Extract structured data' and 'Save as CSV', creating a high-risk path for data exfiltration if the agent is compromised.

claude-chrome