gemini-research-browser-use

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill instructs copying and reusing the user's Chrome profile and connecting to Chrome's DevTools Protocol to execute arbitrary JavaScript in pages (via Runtime.evaluate), which can access cookies, tokens, and page DOM and therefore enables credential theft or data exfiltration even if the example scripts do not explicitly send data to remote servers — overall this is high risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). This skill programmatically connects to the user's Chrome session and reads content from the external Gemini web interface (https://gemini.google.com) via the DevTools WebSocket (extracting .markdown elements), so it ingests third-party web content that the agent will interpret.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.40). This skill directs the agent to copy/modify Chrome user profile data, install Python packages, launch Chrome with remote debugging (exposing a logged-in session), create and delete temp files, and kill processes — all of which change the local machine state and can leak sensitive data, but it does not request sudo, create system users, or modify privileged system files.