google-webmcp
Pass
Audited by Gen Agent Trust Hub on Mar 26, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill manages an authenticated Google browser profile stored at
~/.uxc/webmcp-profile/google. This directory contains sensitive session data and cookies required for the agent to act on behalf of the user on Google services. - [COMMAND_EXECUTION]: The skill includes shell scripts (
scripts/ensure-links.sh) used to configure the execution environment. This script executes a secondary script located in a sibling skill directory (skills/webmcp-bridge/scripts/ensure-links.sh) to setup the CLI tool. - [EXTERNAL_DOWNLOADS]: The skill instructions require the installation of browser binaries via
npx playwright install. These downloads are performed from well-known sources associated with Microsoft's Playwright project. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted data retrieved from external sources (Google Search results and Gemini responses).
- Ingestion points: Data is ingested through
search.webresults andgemini.chatresponses (SKILL.md). - Boundary markers: None explicitly defined in the instructions to separate search results from agent instructions.
- Capability inventory: The skill can execute shell commands and automate browser interactions.
- Sanitization: The skill relies on structured JSON output for tool responses, which provides a layer of data isolation.
Audit Metadata