Skills
skills/mitsuhiko/agent-stuff/web-browser/Gen Agent Trust Hub

web-browser

Fail

Audited by Gen Agent Trust Hub on Mar 4, 2026

Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The scripts/start.js file includes a --profile flag that uses rsync to copy the user's entire Google Chrome profile directory, including cookies, session tokens, and history, from ~/Library/Application Support/Google/Chrome/ to a local cache directory (~/.cache/scraping). This exposes sensitive authentication state to any process or agent accessing that directory.
  • [COMMAND_EXECUTION]: scripts/start.js executes several shell commands using execSync and spawn, including killall 'Google Chrome', mkdir -p, and rsync. This allows the skill to manipulate system processes and the file system.
  • [REMOTE_CODE_EXECUTION]: scripts/eval.js provides the capability to execute arbitrary JavaScript code within the active browser tab using the Runtime.evaluate CDP method. This allows an agent to interact with page content but also to perform actions like stealing cookies or making unauthorized requests if the agent is compromised.
  • [DATA_EXFILTRATION]: scripts/watch.js implements a background logger that records all console messages, exceptions, and network request/response metadata (URLs, methods, statuses) to JSONL files in ~/.cache/agent-web/logs/. This creates a persistent record of potentially sensitive data transmitted during browsing sessions.
  • [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection due to its architecture:
  • Ingestion points: scripts/pick.js reads element text and HTML; scripts/eval.js retrieves DOM content; scripts/watch.js captures network and console data from external websites.
  • Boundary markers: None. The skill does not implement delimiters or safety instructions when passing retrieved web content back to the agent.
  • Capability inventory: The skill possesses high-impact tools including eval.js (JavaScript execution), nav.js (navigation), and start.js (access to user session profiles).
  • Sanitization: There is no evidence of sanitization or validation of data ingested from the web, allowing malicious instructions on a website to potentially influence the agent's behavior through these potent tools.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 4, 2026, 02:48 AM