automating-chrome
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): In
references/chrome-advanced.md, the snippet for incognito spawning usesapp.doShellScript(). This allows the agent to execute arbitrary shell commands on the host macOS system, providing a direct vector for privilege escalation or system compromise.\n- REMOTE_CODE_EXECUTION (HIGH): Multiple snippets (e.g.,chrome-advanced.md,chrome-form-automation.md) utilizetab.execute({ javascript: ... })to run arbitrary code within browser tabs. This grants the agent full control over the browser session and page content.\n- DATA_EXFILTRATION (MEDIUM): TheexecWithTitleTunnelpattern inchrome-advanced.mdand URL batch reading inchrome-recipes.mdallow the agent to extract information from the browser's DOM, page titles, and history, which could include sensitive session data or private information.\n- PROMPT_INJECTION (HIGH): The skill creates a significant surface for indirect prompt injection by reading content from untrusted external websites.\n - Ingestion points: Page DOM, URLs, and titles are retrieved via JXA commands and processed by the agent context.\n
- Boundary markers: No delimiters or instructions are provided to the agent to ignore embedded commands within the retrieved web data.\n
- Capability inventory: The agent possesses high-impact capabilities including host shell access (
doShellScript) and browser DOM modification (tab.execute).\n - Sanitization: While
JSON.stringifyis used to safely interpolate values into scripts sent to the browser, no sanitization is performed on data retrieved from the browser before it is used to influence agent decisions.
Recommendations
- AI detected serious security threats
Audit Metadata