browser-ability
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it retrieves and processes content from arbitrary external websites.
- Ingestion points: Data is ingested from websites through browser tools called via
mcpClient.callToolinscript.js. - Boundary markers: The skill does not implement boundary markers or instructions to the agent to disregard instructions found within the processed data.
- Capability inventory: The skill possesses the capability to control a browser instance via CDP and execute various tools provided by the remote MCP server.
- Sanitization: There is no evidence of sanitization or filtering of the retrieved website content before it is passed to the AI agent.
- [DATA_EXFILTRATION]: The skill transmits the user-defined
CDP_URL(which identifies the browser's control interface) to theSERVER_URLin thex-cdp-urlHTTP header during the connection phase. - [EXTERNAL_DOWNLOADS]: The script connects to a remote MCP server at a dynamically provided
SERVER_URLto fetch tool definitions and execute remote logic. - [COMMAND_EXECUTION]: The skill facilitates the execution of browser actions and tool-based commands through a combination of the Chrome DevTools Protocol and the Model Context Protocol.
Audit Metadata