Skills
skills/mamba-mental/agent-skill-manager/chrome-devtools/Gen Agent Trust Hub

chrome-devtools

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION] (HIGH): The screenshot.js script is vulnerable to command injection via the --output argument. The script uses execSync to invoke ImageMagick tools (magick or convert) by directly interpolating the file path into a shell command string. While the paths are enclosed in double quotes, the input is not sanitized for shell metacharacters like double quotes or semicolons, allowing an attacker to break out of the command and execute arbitrary system instructions.
  • Evidence: Found in scripts/screenshot.js (lines 50, 53, 76, 85) where compressionCmd is constructed using template literals with the filePath variable derived from user input.
  • [COMMAND_EXECUTION] (HIGH): The scripts/install-deps.sh script requires and utilizes sudo to install system packages across various Linux distributions. Executing shell scripts with root privileges is a high-risk operation.
  • Evidence: Found in scripts/install-deps.sh (lines 39-160) where the $SUDO variable is used with apt-get, dnf, yum, and pacman commands.
  • [REMOTE_CODE_EXECUTION] (MEDIUM): The evaluate.js script exposes a powerful eval() sink within the browser context. While intended for automation, this capability allows for the execution of arbitrary JavaScript code, which can be weaponized if the agent's input is compromised.
  • Evidence: Found in scripts/evaluate.js (line 40): return eval(script);.
  • [PROMPT_INJECTION] (LOW): Indirect Prompt Injection surface. The skill ingests untrusted data from external websites and possesses high-impact capabilities (file writing, browser interaction, JS execution).
  • Ingestion points: Web page content, console logs, and network metadata are retrieved in scripts/console.js, scripts/snapshot.js, and scripts/network.js.
  • Boundary markers: None present; data is passed directly to the agent's context.
  • Capability inventory: File writing (screenshot.js, network.js), browser interaction (click.js, fill.js), and arbitrary JS execution (evaluate.js).
  • Sanitization: No sanitization is performed on browser-context data before it is presented to the agent.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 17, 2026, 06:39 PM