Skills
skills/lynx-community/skills/lynx-devtool/Gen Agent Trust Hub

lynx-devtool

Warn

Audited by Gen Agent Trust Hub on Mar 29, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill requires the agent to execute a Node.js script (scripts/index.mjs) to interact with the Lynx DevTool CLI for various debugging tasks.
  • [REMOTE_CODE_EXECUTION]: The skill supports the Runtime.evaluate, Runtime.compileScript, and Runtime.runScript methods, which allow the execution of arbitrary JavaScript expressions and scripts within the context of the connected Lynx application. This is an intended debugging feature that grants significant control over the application's runtime state.
  • [EXTERNAL_DOWNLOADS]: The App.openPage and Page.reload commands allow the agent to open or redirect the application to any URL. This can be used to load external resources or navigate to potentially malicious websites.
  • [DATA_EXFILTRATION]: The skill provides mechanisms to extract information from the target application, including reading script source code via Debugger.getScriptSource, capturing real-time console logs through get-console, and accessing shared data via the WhiteBoard domain.
  • [PROMPT_INJECTION]: The skill presents an attack surface for indirect prompt injection where an attacker could provide malicious content (e.g., a URL or a code snippet) that, when processed by the agent, results in the execution of harmful commands within the Lynx application.
  • Ingestion points: Parameters passed to commands like cdp (e.g., expression), app (e.g., url), and open (e.g., target URL).
  • Boundary markers: No explicit delimiters or instructions to ignore embedded commands are documented for the parameters.
  • Capability inventory: Includes arbitrary JavaScript execution on the target, application navigation, source code retrieval, and writing screenshots to the local filesystem.
  • Sanitization: There is no evidence of parameter sanitization or validation before they are passed to the DevTool CLI.
  • [DATA_EXFILTRATION]: The take-screenshot command allows the agent to capture the visual state of the application and save it as a file on the local disk, which could potentially expose sensitive UI information.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 29, 2026, 10:37 PM