openwork-docker-chrome-mcp
Pass
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (LOW): The skill directs the agent to execute a local shell script (
packaging/docker/dev-up.sh) and various Docker CLI commands (docker ps,docker compose). These actions are performed within the local repository context to manage a development stack. - [PROMPT_INJECTION] (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8) due to its interaction with live web content.
- Ingestion points: The agent reads untrusted data from the browser DOM using
chrome-devtools_take_snapshotandchrome-devtools_wait_for. - Boundary markers: Absent. There are no instructions or delimiters to help the agent distinguish between legitimate UI elements and malicious text injected into the web page.
- Capability inventory: The agent has the ability to execute shell commands, write files to
/tmp, and perform automated browser actions (click, fill, navigate). - Sanitization: Absent. The agent is expected to use the raw output of the browser snapshots to make decisions about which elements to interact with, which could be exploited by an attacker-controlled web page to trigger unintended actions.
Audit Metadata