Skills
skills/rafaelcalleja/claude-market-place/chrome-devtools/Gen Agent Trust Hub

chrome-devtools

Warn

Audited by Gen Agent Trust Hub on Mar 12, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The screenshot.js script is vulnerable to command injection because it constructs shell commands by directly interpolating the --output file path into a string executed by execSync. A malicious file path containing shell metacharacters could execute arbitrary commands on the host system. Evidence: const compressionCmd = magick "${filePath}" -strip -resize 90% -quality 85 "${tempPath}"; in scripts/screenshot.js.
  • [REMOTE_CODE_EXECUTION]: The evaluate.js script enables arbitrary JavaScript execution within the browser context using the eval() function. This is a powerful but risky capability that can be exploited if the agent is directed to execute untrusted code in a browser session. Evidence: return eval(script); within a page.evaluate() block in scripts/evaluate.js.
  • [EXTERNAL_DOWNLOADS]: The skill's installation scripts (install.sh and install-deps.sh) download and install a large number of third-party system libraries and Node.js packages. This requires broad network access and root privileges for system-level changes. Evidence: npm install and the various apt-get, dnf, and pacman commands found in the setup scripts.
  • [PROMPT_INJECTION]: The skill has a significant attack surface for indirect prompt injection as it ingests and processes untrusted data from any website the agent visits. 1. Ingestion points: Web page content (DOM), console messages, and network responses are captured by scripts like snapshot.js, console.js, and network.js. 2. Boundary markers: There are no explicit markers or instructions used to prevent the agent from treating data extracted from web pages as instructions. 3. Capability inventory: The skill can write files to the local system, execute shell commands (via the image compression feature), and run arbitrary scripts in the browser. 4. Sanitization: While selector.js contains a basic validateXPath function to block common injection patterns in selectors, there is no sanitization for the general web content processed by the skill.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 12, 2026, 12:04 PM