chrome-cdp
Pass
Audited by Gen Agent Trust Hub on Mar 20, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill provides a mechanism for the agent to ingest untrusted data from web pages, which serves as a surface for indirect prompt injection.\n
- Ingestion points: Web content is retrieved through accessibility tree snapshots, HTML element extraction, and network resource logs in
scripts/cdp.mjs.\n - Boundary markers: The skill does not implement delimiters or safety instructions to distinguish external web content from the agent's internal logic.\n
- Capability inventory: The skill possesses high-impact capabilities including arbitrary JavaScript execution (
Runtime.evaluate), automated typing, and navigation.\n - Sanitization: No data filtering or sanitization is performed on information fetched from the browser.\n- [COMMAND_EXECUTION]: The skill executes local system commands to manage background daemon processes.\n
- Evidence: In
scripts/cdp.mjs, the script useschild_process.spawnto run itself in a detached mode to maintain persistent WebSocket connections to the browser.\n- [REMOTE_CODE_EXECUTION]: The skill enables the execution of arbitrary code within the browser context.\n - Evidence: The
evalandevalrawcommands provide a direct interface for the agent to execute JavaScript expressions and raw DevTools Protocol methods in active tabs.
Audit Metadata