Skills
skills/huynguyen03dev/opencode-setup/chrome-devtools/Gen Agent Trust Hub

chrome-devtools

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: CRITICALCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION] (CRITICAL): The screenshot.js script is vulnerable to shell command injection via the --output argument. User-provided file paths are directly interpolated into a shell command string for ImageMagick (magick "${filePath}" ...) and executed using execSync. An attacker could exploit this to run arbitrary system commands. Evidence: Found in scripts/screenshot.js line 49 and line 155.\n- [REMOTE_CODE_EXECUTION] (HIGH): The evaluate.js script allows the agent to execute arbitrary JavaScript code within the browser's page context using eval(). This presents a high risk if the agent is tricked into executing malicious scripts on sensitive domains. Evidence: Found in scripts/evaluate.js line 35.\n- [EXTERNAL_DOWNLOADS] (MEDIUM): The install.sh and install-deps.sh scripts install numerous system dependencies and Node.js packages from external repositories, increasing the supply chain attack surface. Evidence: scripts/install-deps.sh uses package managers (apt, dnf, pacman) and scripts/install.sh executes npm install.\n- [COMMAND_EXECUTION] (MEDIUM): The browser is launched with the --no-sandbox flag, which disables critical security protections in Chromium, making the host system more vulnerable to browser-based exploits. Evidence: Found in scripts/lib/browser.js line 25.\n- [PROMPT_INJECTION] (HIGH): The skill is highly susceptible to Indirect Prompt Injection (Category 8). It ingests untrusted content from the web and possesses high-privilege capabilities including file writing and shell execution. Ingestion points: page.goto(args.url) in navigate.js, click.js, screenshot.js, evaluate.js, snapshot.js, console.js, network.js, and performance.js. Boundary markers: Absent. Capability inventory: Shell command execution (via screenshot.js vulnerability), Browser JavaScript execution (evaluate.js), and arbitrary file system writes (network.js, snapshot.js). Sanitization: Absent. The blacklist-based validation in scripts/lib/selector.js for XPath is insufficient to prevent sophisticated injection attacks.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 16, 2026, 02:42 AM