marketing-cro
Fail
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructs the agent to execute 'npm install -g agent-browser && npx playwright install chromium' in the SKILL.md file. Installing unverified global packages from the npm registry and executing them is a high-risk behavior that allows for code execution from unknown sources.
- [EXTERNAL_DOWNLOADS]: The skill pulls dependencies from the NPM registry at runtime. While Playwright is a standard tool, 'agent-browser' is not from a recognized trusted vendor or well-known service, making it an unverifiable dependency.
- [COMMAND_EXECUTION]: The 'agent-browser' CLI is invoked via shell commands to perform audits and content extraction. These commands use variables like '{page-url}' which are supplied at runtime, potentially allowing for command injection if input is not strictly validated.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection attacks.
- Ingestion points: Content is fetched from untrusted external URLs using 'agent-browser get text body' as seen in the 'Research Mode' section of SKILL.md.
- Boundary markers: Absent. There are no delimiters or instructions for the agent to distinguish between its instructions and data scraped from external pages.
- Capability inventory: The agent has the ability to read sensitive local files (brand-context.md, product-marketing-context.md, sostac files) and perform network/file operations.
- Sanitization: None. Data from external sites is processed directly, allowing malicious instructions from a visited webpage to potentially trigger exfiltration of proprietary brand context files.
Recommendations
- AI detected serious security threats
Audit Metadata