browser
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [Data Exposure & Exfiltration] (HIGH): The
start.jsscript contains a--profileflag that copies the user's active Chrome profile directory (e.g.,~/Library/Application Support/Google/Chrome/Defaulton macOS) to a temporary location. This provides the agent or an attacker with access to sensitive credentials, session cookies, and browsing history. - [Dynamic Execution] (MEDIUM): The
eval.jsfile uses theeval()function to execute arbitrary JavaScript code provided via command-line arguments within the browser context. This allows for arbitrary execution of code on web pages. - [Indirect Prompt Injection] (LOW): The skill is vulnerable to indirect prompt injection because it processes untrusted data from external websites.
- Ingestion points:
eval.js(returns results of script execution),pick.js(returns element text and metadata), andscreenshot.js(visual output). - Boundary markers: Absent. There are no delimiters or instructions to the agent to treat the page content as untrusted.
- Capability inventory: The skill allows for navigation (
nav.js), code execution in the page (eval.js), and credential access (start.js). - Sanitization: No sanitization or filtering is performed on the data extracted from the browser before it is returned to the agent.
- [Command Execution] (LOW): The
start.jsscript useschild_process.spawnto execute the local Chrome binary found on the system path.
Recommendations
- AI detected serious security threats
Audit Metadata