The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill is designed to ingest untrusted data by navigating to external websites. Because it possesses high-privilege capabilities like script execution and form interaction, it is highly vulnerable to adversarial content on those pages.
Ingestion points: navigate_page (external HTML content), list_console_messages (untrusted logs), and list_network_requests (untrusted headers/responses).
Boundary markers: No delimiters or safety instructions are used to distinguish between system instructions and page content.
Capability inventory: Includes evaluate_script (JS execution), click/fill_form (interaction), and take_screenshot/get_network_request (data exfiltration).
Sanitization: No evidence of sanitization or content filtering for processed web data.
Dynamic Execution (HIGH): The evaluate_script tool allows for the execution of arbitrary JavaScript code. This creates a direct path for Remote Code Execution (RCE) within the browser context if the input is manipulated via indirect injection.
Data Exfiltration (HIGH): The skill provides tools to inspect sensitive network traffic (get_network_request) and capture visual data (take_screenshot). This could be abused to steal session tokens, cookies, or sensitive information from other open tabs or internal sites.
External Downloads (HIGH): The installation instructions recommend npx chrome-devtools-mcp@latest, which downloads and executes code from a non-whitelisted source at runtime. While the tool appears legitimate, this pattern is inherently high-risk in an agentic context.
Privilege Escalation (MEDIUM): The navigate_page tool could potentially be used to access local system files via the file:// protocol if the Chrome instance is not properly sandboxed, leading to unauthorized sensitive file exposure.

chrome-devtools