browser-cdp
Fail
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: HIGHPROMPT_INJECTIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/cdp_proxy.pyusessubprocessto locate and launch browser instances. These calls use argument lists, which is a safe practice that prevents shell injection attacks. - [REMOTE_CODE_EXECUTION]: The
SKILL.mdfile contains instructions for piping JSON output topython3 -m json.tool. While automated scanners may flag this pattern, it is a benign use of a standard Python module for formatting JSON output. - [REMOTE_CODE_EXECUTION]: The
/evalendpoint inscripts/cdp_proxy.pyallows for direct JavaScript execution in the browser context. This is the intended functionality of the skill, though the local proxy does not implement access control for its API. - [PROMPT_INJECTION]: The skill facilitates indirect prompt injection by design as it ingests untrusted data from the internet.
- Ingestion points: Page content and metadata accessed via
scripts/cdp_proxy.py. - Boundary markers: None.
- Capability inventory: Browser navigation, JavaScript execution, and screenshot capture in
scripts/cdp_proxy.py. - Sanitization: No sanitization of the retrieved web content is performed.
Recommendations
- HIGH: Downloads and executes remote code from: http://localhost:3456/targets - DO NOT USE without thorough review
Audit Metadata