chrome-devtools
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The
scripts/install-deps.shandscripts/install.shfiles usesudoto install system dependencies. Although required for running Chromium on Linux, this grants the skill elevated privileges during the setup phase.\n- [REMOTE_CODE_EXECUTION] (MEDIUM): Thescripts/evaluate.jsscript enables arbitrary JavaScript execution within the page context viaeval(). This is an intended feature but represents a code execution surface that could be exploited via malicious web content.\n- [EXTERNAL_DOWNLOADS] (MEDIUM): The installation process fetches packages from NPM and system repositories. While these are standard sources, the extensive dependency chain should be reviewed by users before execution with root privileges.\n- [PROMPT_INJECTION] (LOW): The skill is susceptible to indirect prompt injection (Category 8) due to its processing of untrusted external web content.\n - Ingestion points: Web page data accessed through
navigate.js,snapshot.js, andconsole.js.\n - Boundary markers: Absent. The skill does not implement delimiters or warnings when passing external content to the agent.\n
- Capability inventory: Arbitrary JavaScript execution (
evaluate.js), local filesystem writes (screenshot.js,network.js), and process execution (ImageMagick viaexecFileSync).\n - Sanitization:
selector.jsprovides robust validation for XPath and CSS selectors, but the skill lacks sanitization for the JavaScript strings passed to theevaluate.jsscript.
Audit Metadata