chrome-devtools
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- REMOTE_CODE_EXECUTION (MEDIUM): The skill includes an
evaluate.jsscript designed to execute arbitrary JavaScript strings within the browser context via the--scriptflag. This allows for dynamic code execution based on agent-generated or potentially external input. - COMMAND_EXECUTION (MEDIUM): The skill's primary interface involves executing local Node.js CLI scripts. It also suggests running
./install-deps.shandnpx serve, which involve system-level command execution and potentially elevated privileges for dependency installation. - EXTERNAL_DOWNLOADS (MEDIUM): The skill requires
npm installto fetch thepuppeteerlibrary and other dependencies. While a common practice, fetching unpinned dependencies from a public registry introduces a supply-chain risk if the registry or packages are compromised. - PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8) because it extracts information from untrusted web sources.
- Ingestion points:
snapshot.js,aria-snapshot.js, andevaluate.jsingest data from arbitrary URLs. - Boundary markers: No delimiters or safety instructions are mentioned to prevent the agent from following instructions found on websites.
- Capability inventory: The agent can execute local scripts, read/write session files (
.browser-session.json), and perform network operations. - Sanitization: No sanitization of ingested web content is described.
- PROMPT_INJECTION (LOW): The 'IMPORTANT Task Planning Notes' section contains instruction-shaping prompts that attempt to mandate specific agent behaviors (task planning and final review), which is a minor form of behavior override.
Audit Metadata