deep-debug
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill utilizes the
mcp__claude-in-chrome__javascript_toolto execute arbitrary code within the user's browser context. While intended for debugging, this allows for the execution of any JavaScript, which could be used to modify page behavior or interact with authenticated sessions. - [DATA_EXFILTRATION] (MEDIUM): The skill can access sensitive browser data, including network request payloads, console logs, and page state. The documentation explicitly suggests using the
javascript_toolto readlocalStorageandgetEventListeners, which often contain authentication tokens or sensitive application state. This information is then exposed within the agent's context. - [PROMPT_INJECTION] (LOW): The skill is highly susceptible to indirect prompt injection (Category 8). It ingests untrusted data from external websites (via network logs, console output, and DOM content) and interpolates it directly into the prompts for sub-agents (debugger, code-reviewer, and Explore) without using delimiters or sanitization.
- Ingestion points: Data enters via
mcp__claude-in-chrome__read_network_requests,read_console_messages, andread_page. - Boundary markers: Absent. The templates in
templates/parallel-agent-prompts.mduse simple placeholders like[Paste evidence here]which allows malicious content in the evidence to hijack the sub-agent's instructions. - Capability inventory: The skill can spawn additional agents via the
Tasktool and execute code viajavascript_tool. - Sanitization: None. There is no evidence of escaping, filtering, or validation of the ingested browser data before it is reused in prompts.
Audit Metadata