browser-automation
Fail
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The installation instructions require downloading a ZIP file from an untrusted GitHub repository (femto/mcp-chrome) and loading it as an 'unpacked' extension in Developer Mode. This method bypasses the automated and manual security reviews conducted by the Google Chrome Web Store, making it a primary vector for delivering malicious code.
- [DATA_EXFILTRATION] (HIGH): The skill is designed to operate within the user's existing Chrome profile. This grants the agent access to sensitive information including:
- Active Sessions: The
chrome_network_requesttool can perform HTTP requests using the user's live cookies and authentication headers. - Personal Data: The
chrome_historyandchrome_bookmark_searchtools allow searching through private browsing data. - Sensitive Content:
chrome_get_web_contentandchrome_screenshotcan capture any information visible on the screen, including banking details or private messages if those tabs are open. - [COMMAND_EXECUTION] (MEDIUM): The skill requires a global NPM installation (
npm install -g mcp-chrome-bridger). Global packages can execute arbitrary code on the host machine during installation via post-install scripts and have persistent access to the command line. - [PROMPT_INJECTION] (LOW): This skill is highly susceptible to Indirect Prompt Injection. Because it reads live web content (
chrome_get_web_content), an attacker could place hidden instructions on a website that command the AI to use its interaction tools (chrome_click_element,chrome_fill_or_select) to perform unauthorized actions on other open tabs using the user's active login sessions.
Recommendations
- AI detected serious security threats
Audit Metadata