captcha-relay
Warn
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill includes a 'Browser Relay' feature in
lib/browser-relay.jsthat acts as a remote administration interface. It captures the browser viewport as a stream and executes received mouse and keyboard events directly into the session using the Chrome DevTools Protocol. When active with a public tunnel, this allows anyone with the URL to control the automated browser without authentication. - [EXTERNAL_DOWNLOADS]: In
lib/tunnel.js, the skill invokesnpx localtunnel, which dynamically downloads and executes thelocaltunnelpackage from the npm registry at runtime to establish a public URL. - [COMMAND_EXECUTION]: The skill spawns external processes for
npxandcloudflaredto manage network connectivity for the relay server. - [COMMAND_EXECUTION]: Uses the
Runtime.evaluatemethod of the Chrome DevTools Protocol to inject and run custom JavaScript within the context of automated web pages for detecting CAPTCHAs and injecting solved tokens. - [PROMPT_INJECTION]: The skill possesses an indirect injection surface. Untrusted data enters the agent context through DOM attribute extraction (e.g.,
data-sitekey) inlib/detect.js. No explicit boundary markers or 'ignore' instructions are used. The skill has high capabilities, including arbitrary JS execution and input dispatch via CDP. No sanitization is performed on the extracted data before it is interpolated into HTML templates.
Audit Metadata