dev-browser
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The skill's primary workflow involves the agent generating and executing arbitrary TypeScript/JavaScript code by piping it to
npx tsx. This provides full system access to the host machine beyond the browser context.\n- [EXTERNAL_DOWNLOADS] (HIGH): The skill performs runtime installation of NPM packages and Chromium binaries vianpm installandplaywright install. It also references an external browser extension from an untrusted GitHub repository (SawyerHood/dev-browser), which is not within the allowed trust scope.\n- [COMMAND_EXECUTION] (MEDIUM): Initialization scripts utilizeexecSyncto run shell commands likelsofandkill -9on system ports, as well as to trigger package manager commands for binary setup.\n- [DATA_EXFILTRATION] (MEDIUM): The skill documentation explicitly guides the agent on how to intercept, capture, and reuse authentication headers and session cookies from network requests, providing a clear path for sensitive data exfiltration.\n- [PROMPT_INJECTION] (LOW): As a browser automation tool that processes external website content and ARIA snapshots without sanitization or boundary markers, the skill is highly vulnerable to indirect prompt injection from malicious web pages.
Recommendations
- AI detected serious security threats
Audit Metadata