kernel-python-sdk
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Remote Code Execution (HIGH): The skill documentation explicitly promotes the use of
kernel.browsers.playwright.execute(session_id, code="..."). This function allows for the execution of arbitrary Python code strings on a remote server/VM, which is a significant RCE capability that can be exploited if the code string is influenced by untrusted data. - Indirect Prompt Injection (HIGH): This skill has a high vulnerability surface for indirect prompt injection.
- Ingestion points: The browser automation tools built with this SDK are designed to process and automate tasks on external, untrusted web pages.
- Boundary markers: None. The documentation does not provide instructions for delimiting or ignoring instructions found within the web content being processed.
- Capability inventory: The SDK includes remote code execution (
playwright.execute), OS-level hardware controls (mouse/keyboard viakernel.browsers.computer), and managed authentication connections (kernel.auth.connections). - Sanitization: There is no mention of sanitizing or validating the data extracted from browsers before it is used to influence agent logic or code generation.
- Command Execution (MEDIUM): The
kernel.browsers.computermodule provides OS-level controls including mouse and keyboard events and screenshots, allowing for indirect command execution through the GUI of the remote host.
Recommendations
- AI detected serious security threats
Audit Metadata