browser-automation
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The documentation in
SKILL.mdandTOOLS.mdrecommends invoking the skill vianode -eshell commands. This execution model relies on the calling agent to properly sanitize inputs; otherwise, it could be exploited for command injection on the host system.\n- [DATA_EXFILTRATION]: ThehandleUploadfunction inindex.jsallows the agent to read any file from the host's filesystem and upload it to a web form. This capability poses a high risk for the exfiltration of sensitive data like SSH keys or environmental secrets.\n- [REMOTE_CODE_EXECUTION]: Through thehandleEvaluatefunction inindex.js, the skill can execute arbitrary JavaScript within the browser context. This allows an attacker to manipulate the DOM, steal session cookies, or bypass site-specific security measures.\n- [PROMPT_INJECTION]: TheSKILL.mdfile contains instructions that attempt to override the agent's internal tool selection logic by stating it should be used instead of built-in browser tools.\n- [EXTERNAL_DOWNLOADS]: The skill uses theplaywrightlibrary, which is a well-known service that automatically downloads browser binaries from official sources to enable automation tasks.\n- [DATA_EXFILTRATION]: The skill supports connecting to a user's existing Chrome instance via the Chrome DevTools Protocol (CDP) on port 9222. This grants the agent full access to the user's logged-in accounts, history, and private data in their primary browser profile.\n- [PROMPT_INJECTION]: The skill exhibits a significant attack surface for indirect prompt injection.\n - Ingestion points: Content from external websites is retrieved using functions like
handleGetContentinindex.js.\n - Boundary markers: The skill lacks explicit delimiters or instructions to ignore embedded commands within the fetched HTML.\n
- Capability inventory: The toolset includes highly permissive functions such as
handleEvaluate,handleUpload, andhandleNavigate.\n - Sanitization: There is no evidence of filtering or validation for the content fetched from the web before it is processed by the agent.
Audit Metadata