browse
Fail
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill contains automated logic to extract and decrypt sensitive browser session cookies directly from the host machine. The implementation in
src/cookie-import-browser.tstargets local cookie databases for browsers including Chrome, Arc, Brave, and Edge, and utilizes the macOS Keychain to retrieve storage encryption keys. - [COMMAND_EXECUTION]: The skill executes external system utilities using
Bun.spawn. Specifically, it calls thesecuritycommand to interact with the macOS Keychain (src/cookie-import-browser.ts) and theopencommand to launch the cookie picker UI in the default browser (src/write-commands.ts). - [DATA_EXFILTRATION]: The skill facilitates the exposure of highly sensitive authentication data. The
cookie-import-browsercommand allows the agent to read and import browser cookies into its current session, which could lead to session hijacking of the user's accounts if the agent is manipulated by a malicious website. - [REMOTE_CODE_EXECUTION]: The skill allows the execution of arbitrary JavaScript from files on the host system. The
evalcommand insrc/read-commands.tsreads content from local file paths and executes it within the browser context viapage.evaluate(). While restricted to specific directories, this could be chained with other agent capabilities to execute locally-generated malicious code. - [PROMPT_INJECTION]: The skill possesses a significant indirect prompt injection surface as it is designed to ingest and process untrusted content from the web. Information extracted via
text,html, oraccessibilitycommands (src/read-commands.ts) is returned to the agent without sanitization, potentially allowing malicious webpages to influence the agent's behavior and trigger high-privilege commands.
Recommendations
- AI detected serious security threats
Audit Metadata