browsing
Fail
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: HIGHPROMPT_INJECTIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Susceptible to Indirect Prompt Injection via ingested web content. \n
- Ingestion points: The 'extract' action and the 'navigate' tool's auto-capture feature return page text, HTML, and Markdown from external websites into the agent's context. \n
- Boundary markers: Page content is returned without explicit delimiters or instructions to ignore embedded commands. \n
- Capability inventory: The skill can execute JavaScript ('eval'), interact with UI elements ('click', 'type'), and navigate to arbitrary URLs. \n
- Sanitization: Content ingested from the web is not sanitized before being presented to the agent. \n- [REMOTE_CODE_EXECUTION]: The 'eval' action allows the agent to execute arbitrary JavaScript within the browser session. This is an intended feature but poses a high risk if the agent is compromised by malicious instructions found on a webpage. \n- [COMMAND_EXECUTION]: The 'chrome-ws' script and the core library launch a Chrome browser process using 'child_process.spawn'. The browser is started with security-sensitive flags, including '--no-sandbox', which reduces the process isolation boundaries to facilitate automation. \n- [REMOTE_CODE_EXECUTION]: Automated scanning detected a high-risk pattern in the 'test-raw.sh' script: 'curl -s http://127.0.0.1:9222/json | node'. Although the piped JavaScript is a static string used to parse JSON from a local debugging port, the practice of piping network output directly to an interpreter is generally considered a vulnerability surface.
Recommendations
- HIGH: Downloads and executes remote code from: http://127.0.0.1:9222/json - DO NOT USE without thorough review
Audit Metadata