product-reverse
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- Dynamic Execution (MEDIUM): The file
references/chrome-patterns.mdcontains an embedded JavaScript snippet designed to be executed viajavascript_tool. This script performs runtime inspection of the DOM and window objects. - Evidence: The script checks for frameworks, state management tools, and specifically searches for authentication tokens in
document.cookieandlocalStorage(e.g.,token,jwt,session_id). - Indirect Prompt Injection (LOW): As a browser automation skill, it is designed to ingest and process content from untrusted external websites.
- Ingestion points:
read_page,get_page_text, andread_network_requeststools inreferences/chrome-patterns.md. - Boundary markers: The patterns do not specify the use of delimiters (like XML tags or triple backticks) when passing scraped content back to the LLM.
- Capability inventory: The skill can execute JavaScript, click elements, and navigate, which could be abused if an external site contains malicious instructions.
- Sanitization: No explicit sanitization or validation of the scraped text is mentioned before it is processed by the agent.
- Data Exposure (LOW): The tech stack detection script explicitly attempts to identify and extract authentication tokens and session identifiers.
- Evidence: Code in
references/chrome-patterns.mduses regex to matchtoken|jwt|session_id|authin cookies and retrieves items likeaccess_tokenfrom local storage. While intended for documenting the 'Auth mechanism', this exposes sensitive session data to the agent's context.
Audit Metadata