browsing
Fail
Audited by Gen Agent Trust Hub on Apr 15, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The
test-raw.shscript contains a pattern where output from a local network request is piped directly to the Node.js interpreter for parsing (curl -s http://127.0.0.1:9222/json | node -pe). While targeting a local service, this remains a risky practice. - [COMMAND_EXECUTION]: The
chrome-ws-lib.jsfile useschild_process.execSyncto run system commands (sips,identify,convert) for image processing. Although file paths are generated internally, this involves dynamic shell execution. - [COMMAND_EXECUTION]: The library uses
child_process.spawnto launch the browser process with specific command-line arguments. - [PROMPT_INJECTION]: The skill facilitates the ingestion of arbitrary web content (HTML, text, and markdown) into the agent's context. This creates a surface for indirect prompt injection attacks where malicious instructions on a web page could override agent behavior.
- Ingestion points: Navigation and content extraction actions in
SKILL.mdandchrome-ws-lib.js. - Boundary markers: The skill does not implement delimiters or warnings to isolate untrusted web content.
- Capability inventory: Includes arbitrary JavaScript execution (
eval), file system writes, and browser control across all scripts. - Sanitization: No filtering or sanitization is performed on the data fetched from the web.
Recommendations
- HIGH: Downloads and executes remote code from: http://127.0.0.1:9222/json - DO NOT USE without thorough review
Audit Metadata