ultra-research
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill utilizes
browser_run_codeandbrowser_evaluateto execute dynamic JavaScript snippets within the browser context. This execution occurs on pages where the user is encouraged to maintain active login sessions for services like Gemini, ChatGPT, and Claude, potentially exposing session data or personal history.\n- [COMMAND_EXECUTION]: The skill employs theBashtool to run commands such aspkill -f "mcp-chrome". While intended for browser recovery, the use ofpkillallows the agent to terminate processes on the host system.\n- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) due to its core function of aggregating data from external AI services and the web.\n - Ingestion points: Content is retrieved from multiple external AI providers and websites via Playwright extraction scripts in
references/extraction.md,references/gemini.md,references/chatgpt.md,references/claude-web.md, andreferences/grok.md.\n - Boundary markers: The instructions do not define clear delimiters or use 'ignore embedded instructions' directives when processing or summarizing the gathered information.\n
- Capability inventory: The agent possesses high-impact tools including
browser_run_codefor arbitrary JS execution,Bashcommand execution, and file systemWriteaccess.\n - Sanitization: No validation or sanitization is performed on the data extracted from the web/AI services before it is saved to local files or integrated into the final report.
Audit Metadata