Skills
skills/s-hiraoku/vscode-sidebar-terminal/mcp-chrome-devtools/Gen Agent Trust Hub

mcp-chrome-devtools

Warn

Audited by Gen Agent Trust Hub on Mar 27, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [DATA_EXFILTRATION]: The mcp__chrome-devtools__upload_file tool provides the capability to read any file from the local file system and upload it to a target web page. This could be used to exfiltrate sensitive credentials or private data if the agent is directed to a malicious site.
  • [DATA_EXFILTRATION]: The take_screenshot and take_snapshot tools allow saving browser content to arbitrary local file paths via the filePath parameter, which could be used for unauthorized file writes or data harvesting.
  • [REMOTE_CODE_EXECUTION]: The evaluate_script tool allows for the execution of arbitrary JavaScript within the browser context. While restricted to the browser environment, this can be used to bypass client-side security controls, steal session cookies, or perform actions on behalf of a logged-in user.
  • [DATA_EXFILTRATION]: Tools like list_network_requests and list_console_messages provide access to all data passing through the browser, including sensitive API headers (e.g., Authorization), cookies, and debug information that may contain secrets.
  • [COMMAND_EXECUTION]: The skill enables full UI automation through tools like click, fill_form, and press_key, allowing the agent to perform complex actions on websites which could include modifying account settings or initiating transfers if malicious instructions are followed.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests untrusted data from web pages.
  • Ingestion points: Browser content is ingested via take_snapshot, list_console_messages, and list_network_requests (referenced in SKILL.md and references/tools.md).
  • Boundary markers: There are no instructions defining boundaries or warning the agent to ignore instructions found within the browser data.
  • Capability inventory: The agent has powerful capabilities including evaluate_script, upload_file, and automated UI interaction (click, fill).
  • Sanitization: There is no mention of sanitization or filtering for the data retrieved from the browser before it is processed by the agent.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 27, 2026, 03:28 PM