actionbook
Warn
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill provides the command
actionbook browser cookies list, which allows the agent to extract all cookies from the current browser session, including sensitive session tokens and authentication data. - [DATA_EXFILTRATION]: The 'Extension mode' (
--extensionflag) allows the agent to control the user's actual Chrome browser, granting access to live sessions, existing logins, and private data across all open tabs. - [COMMAND_EXECUTION]: The
actionbook browser evalcommand permits the execution of arbitrary JavaScript within the browser's context, which could be used to manipulate page content, steal local storage data, or perform actions on behalf of the user. - [PROMPT_INJECTION]: The skill is highly vulnerable to Indirect Prompt Injection. It ingests untrusted data from external websites using
actionbook browser text,html, andsnapshotcommands without explicit boundary markers or sanitization, potentially allowing malicious web content to influence agent behavior. - Ingestion points: Web content is retrieved via
browser text,browser html, andbrowser snapshotinSKILL.mdandcommand-reference.md. - Boundary markers: None identified; instructions do not specify the use of delimiters or 'ignore' instructions for scraped content.
- Capability inventory: The agent can perform file writes (screenshots/PDFs), execute JavaScript (
eval), and perform network-based navigation. - Sanitization: No evidence of input validation or content filtering before passing data to the LLM.
- [COMMAND_EXECUTION]: The
actionbook extension installcommand performs system-level modifications by registering a native messaging host on the local machine, which is a form of software installation that alters browser and OS configurations.
Audit Metadata