openwork-docker-chrome-mcp
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a repository-local shell script
packaging/docker/dev-up.shand utilizesdockeranddocker composecommands to manage containerized services. - [DATA_EXPOSURE]: The skill references local configuration files containing sensitive authentication tokens (
OPENWORK_TOKEN) used for development environment access. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting and acting upon content from a web UI via Chrome MCP tools.
- Ingestion points: Web UI content retrieved via
chrome-devtools_take_snapshot. - Boundary markers: None present to distinguish UI content from system instructions.
- Capability inventory: Execution of local shell scripts, Docker commands, and file system access.
- Sanitization: No sanitization or validation logic is defined for the UI content processed by the agent.
Audit Metadata