webmcp-browser-tools
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill encourages the installation of several npm packages under the
@mcp-b/scope (e.g.,@mcp-b/react-webmcp,@mcp-b/webmcp-polyfill). These packages are not from trusted organizations and do not match the author's known handle, presenting a supply chain risk. - [PROMPT_INJECTION]: The skill includes deceptive metadata and content, claiming a 'verified' status and citing dates in the future (2026). This misinformation can lead agents or users to bypass safety considerations based on false claims of authority.
- [PROMPT_INJECTION]: The skill's architecture creates a significant surface for Indirect Prompt Injection.
- Ingestion points: Data and tool definitions are ingested from web applications via
window.navigator.modelContext.provideContextas shown inSKILL.mdandtemplates/implementation-template.md. - Boundary markers: There are no delimiters or 'ignore' instructions provided in the templates to differentiate between legitimate tool outputs and malicious instructions embedded in the web page state.
- Capability inventory: Tools registered through this skill have access to the browser's DOM, active session data, and the ability to execute client-side JavaScript.
- Sanitization: The implementation templates lack any form of input validation or output sanitization, allowing raw data from a web application to be processed directly by the agent.
Audit Metadata