deep-debug
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill possesses a significant attack surface by ingesting untrusted external data and feeding it into high-privilege sub-agents. A malicious website could place payloads in console logs or network headers to hijack the agent's logic.
- Ingestion points: Tools
read_network_requests,read_console_messages, andread_page(defined inSKILL.mdandrules/chrome-evidence-tools.md) pull data directly from the active browser session. - Boundary markers: The prompt templates in
templates/parallel-agent-prompts.mduse simpleEVIDENCE:headers which provide no defense against adversarial instructions embedded in the data. - Capability inventory: The skill uses
mcp__claude-in-chrome__javascript_toolwhich can execute arbitrary code in the browser context. - Sanitization: There is no evidence of filtering or escaping logic applied to the evidence before it is pasted into sub-agent tasks.
- Dynamic Execution (MEDIUM): The skill relies on the
javascript_toolfor debugging purposes (rules/chrome-evidence-tools.md). While functional, this tool acts as an exploit vector if the agent is influenced by malicious instructions from a processed webpage.
Recommendations
- AI detected serious security threats
Audit Metadata