chrome-bookmark-reader
Warn
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses the local Chrome
Bookmarksfile, which is considered sensitive user data. Thebookmark_reader.jsfile contains logic to locate this file within the user'sLOCALAPPDATAdirectory (e.g.,Google/Chrome/User Data/Default/Bookmarks) and read its contents usingfs.readFileSync. Accessing browser profile data can expose browsing habits and internal network structures. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from the bookmarks file and presents it to the agent for analysis.
- Ingestion points: The
parseBookmarksmethod inbookmark_reader.jsreads and parses the JSON content of the Chrome bookmarks file. - Boundary markers: None. The extracted titles and URLs are not wrapped in security delimiters or instruction-ignore warnings.
- Capability inventory: The script has filesystem read access via the
fsmodule inbookmark_reader.js. - Sanitization: The code does not perform any sanitization, filtering, or validation of the bookmark titles or URLs before they are returned to the agent context. Maliciously crafted bookmark titles could potentially influence agent behavior during analysis.
Audit Metadata