Skills
skills/kziemski/chrome-cdp-skill/chrome-cdp/Gen Agent Trust Hub

chrome-cdp

Pass

Audited by Gen Agent Trust Hub on Mar 15, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from web pages and possesses high-privilege capabilities to interact with those pages.
  • Ingestion points: scripts/cdp.mjs (commands html, snap, eval, and net read data from browser tabs).
  • Boundary markers: Absent; the skill does not wrap extracted browser content in delimiters or provide warnings to the agent to ignore embedded instructions.
  • Capability inventory: scripts/cdp.mjs (commands eval, click, nav, type, and evalraw allow the agent to modify browser state, click elements, and enter text).
  • Sanitization: Absent; external browser content is passed directly to the agent without validation or escaping.
  • [COMMAND_EXECUTION]: The skill provides an interface to execute arbitrary JavaScript and raw DevTools commands within the browser context.
  • Evidence: The eval and evalraw commands in scripts/cdp.mjs allow for arbitrary code execution in the target tab. While an intended feature, this capability can be exploited if the agent follows instructions from a malicious website.
  • [DATA_EXFILTRATION]: The skill allows the agent to access and export sensitive information from the user's browser session.
  • Evidence: Commands such as shot (screenshot), html (full page source), and snap (accessibility tree) in scripts/cdp.mjs expose the visual and textual content of any open tab to the agent.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 15, 2026, 07:28 PM