electron
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute Bash commands to launch various native desktop applications (e.g., Slack, Visual Studio Code, Discord, Figma, Notion, Spotify) with the
--remote-debugging-portflag. This action exposes the internal state of these applications to external control tools via the Chrome DevTools Protocol (CDP). - [DATA_EXFILTRATION]: The skill enables the extraction of potentially sensitive information from automated applications. It provides patterns for saving application state to JSON files (
agent-browser snapshot --json > app-state.json), reading text from UI elements (agent-browser get text), and capturing screenshots. This capability can be used to access private communications or sensitive data within apps like 1Password or Slack. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data directly from the user interface of external applications.
- Ingestion points: Data enters the agent's context through UI snapshots and text extraction commands specified in SKILL.md.
- Boundary markers: The skill lacks instructions for using delimiters or warnings to ignore embedded commands within the ingested application content.
- Capability inventory: The agent possesses the capability to simulate user input (clicks, keyboard events, form filling) and execute shell commands through the allowed agent-browser tool.
- Sanitization: There is no implementation of sanitization or validation for the content retrieved from external applications before it is processed by the agent.
Audit Metadata