kernel-typescript-sdk
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is primarily used to ingest untrusted data from external websites via browser automation. This content is then processed by an agent that has high-privilege execution capabilities.
- Ingestion points: Untrusted web content accessed via
kernel.browsersand Playwright sessions. - Boundary markers: None are documented or implemented in the provided SDK patterns.
- Capability inventory:
kernel.browsers.playwright.execute()allows server-side execution of arbitrary code;kernel.browsers.filesystem.readFileallows reading from the remote VM;kernel.auth.connectionsmanages credentials. - Sanitization: No evidence of sanitization or validation of external content before it is processed or used in execution contexts.
- [Remote Code Execution] (HIGH): The core functionality of the skill centers around
kernel.browsers.playwright.execute(), which executes Playwright code on a remote server. If an attacker can influence the code string passed to this function via prompt injection or data poisoning, they can achieve arbitrary code execution in the browser environment. - [External Downloads] (LOW): The skill requires the
@onkernel/sdkpackage and references documentation atkernel.sh. While consistent with the skill's purpose, these are non-trusted external sources per the defined security policy. - [Scanner Alert] (INFO): Automated scans flagged
browser.seas a malicious URL. Technical analysis suggests this is a false positive caused by the scanner misinterpreting the variablebrowser.session_idas a domain with a top-level domain of.se.
Recommendations
- AI detected serious security threats
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata