puppeteer-mcp
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONNO_CODE
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) due to the nature of web browsing.
- Ingestion points: The
navigateandget_contenttools allow untrusted data from any website to enter the agent's context. - Boundary markers: No delimiters or safety instructions are defined to help the agent distinguish between its own goals and instructions embedded in the HTML of visited pages.
- Capability inventory: The skill provides
evaluate(JavaScript execution),fill(data entry), andclick(interaction). An attacker can use 'instructions' hidden in a webpage to trick the agent into using these tools maliciously. - Sanitization: There is no evidence of sanitization for the content retrieved from
get_content. - COMMAND_EXECUTION (HIGH): The
evaluatetool allows for the execution of arbitrary JavaScript (scriptparameter) in the browser context. This is equivalent to Remote Code Execution if the agent is manipulated into running code provided by a malicious website. - DATA_EXFILTRATION (HIGH): An attacker-controlled webpage can use Indirect Prompt Injection to force the agent to read sensitive data from other open tabs or internal pages and then exfiltrate it via the
navigatetool (using query parameters) orevaluate(using fetch). - COMMAND_EXECUTION (MEDIUM): The
screenshottool allows writing to an arbitrary localpath. Without path validation, an agent could be tricked into overwriting critical files or saving sensitive visual data to insecure locations. - NO_CODE (INFO): This file defines the Model Context Protocol (MCP) interface but does not contain the implementation logic (e.g., the JavaScript/TypeScript code running the server). Analysis is limited to the interface capabilities.
Recommendations
- AI detected serious security threats
Audit Metadata