connect-chrome
Pass
Audited by Gen Agent Trust Hub on Apr 4, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill's setup script downloads and executes the Bun runtime installer from its official domain (bun.sh) if it is not found on the system.
- [COMMAND_EXECUTION]: Employs several local scripts provided within the gstack installation (e.g., gstack-config, gstack-update-check) to manage session state and user preferences.
- [REMOTE_CODE_EXECUTION]: Performs dynamic shell execution by sourcing the output of the local gstack-repo-mode utility to configure the environment for the current repository. It also executes a remote installation script from bun.sh, a well-known service provider.
- [DATA_EXFILTRATION]: Implements a telemetry system that logs skill usage metrics (including skill name, duration, and outcome) to a local file. Users are explicitly prompted to opt-in before data is transmitted externally via a local logging binary.
- [PROMPT_INJECTION]: Ingests external web data through navigation and snapshot commands, which creates a potential surface for indirect prompt injection from malicious websites.
- Ingestion points: Web page content retrieved via snapshot and navigation commands in SKILL.md.
- Boundary markers: None identified; untrusted content is passed directly into the agent context.
- Capability inventory: The skill has access to Bash and user interaction tools.
- Sanitization: No content sanitization or instruction-filtering is performed on the browser data.
Audit Metadata