chrome-bookmarks
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses private application data by reading the Chrome bookmarks file from system-specific paths (e.g., %LOCALAPPDATA%, ~/Library/Application Support/, or ~/.config/google-chrome/). While this is the primary purpose of the skill, it involves accessing sensitive local files.
- [PROMPT_INJECTION]: The skill processes untrusted bookmark names and URLs, which serves as an indirect prompt injection surface.
- Ingestion points: The
references/organize_bookmarks.pyscript reads and parses the Chrome Bookmarks JSON file. - Boundary markers: There are no delimiters or specific instructions provided to the agent to treat the bookmark content as untrusted data.
- Capability inventory: The skill is capable of writing to the local file system via the
references/organize_bookmarks.pyscript to create the HTML output file. - Sanitization: The script does not sanitize the bookmark 'name' or 'url' fields before interpolating them into the HTML structure, which could allow malicious bookmark data to execute scripts if the exported HTML file is opened in a browser.
Audit Metadata