browser-automation
Fail
Audited by Gen Agent Trust Hub on Mar 19, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Requires manual installation of a Chrome extension and a global NPM package from unverified third-party sources (github.com/femto/mcp-chrome).
- [COMMAND_EXECUTION]: Installation instructions require running shell commands (
npm install -g,mcp-chrome-bridger register) to set up a native bridge between the AI and the host system, granting the AI agent access to local system resources via the MCP protocol. - [DATA_EXFILTRATION]: Significant risk of unauthorized data access and authenticated exfiltration:
- Accesses sensitive user data via
chrome_history,chrome_bookmark_search, andchrome_get_web_content. - The
chrome_network_requesttool is explicitly designed to send arbitrary HTTP requests using the user's active browser cookies, allowing for actions to be taken on behalf of the user on any website where they are logged in. - [PROMPT_INJECTION]: Significant surface for Indirect Prompt Injection (Category 8):
- Ingestion points: Web content retrieved via
chrome_get_web_contentfrom arbitrary, potentially attacker-controlled URLs. - Boundary markers: Absent; there are no instructions or delimiters provided to prevent the agent from following commands embedded within the retrieved HTML or text content.
- Capability inventory: Includes powerful browser interaction tools (
chrome_click_element,chrome_keyboard) and network operations (chrome_network_request) that could be maliciously triggered by instructions hidden on a webpage. - Sanitization: None; external web content is ingested and processed directly by the agent without validation.
Recommendations
- AI detected serious security threats
Audit Metadata