chrome-devtools-skill
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill instructions specify that the AI agent should automatically perform setup tasks like launching the browser and starting the MCP server, potentially bypassing user control.
- [EXTERNAL_DOWNLOADS]: The skill uses npx to download and run the chrome-devtools-mcp package using the @latest tag, which is an unverified external dependency with no version pinning.
- [REMOTE_CODE_EXECUTION]: Executing remote packages via npx at runtime constitutes unverified remote code execution.
- [COMMAND_EXECUTION]: Launching Chrome with remote debugging enabled and starting background services requires the agent to execute shell commands.
- [PROMPT_INJECTION]: The skill has a high surface for indirect prompt injection: 1. Ingestion points: Data is pulled from arbitrary websites via browser navigation and script evaluation. 2. Boundary markers: No delimiters are used to separate web content from agent instructions. 3. Capability inventory: The skill can execute shell commands, run arbitrary JavaScript in a browser, and perform network requests. 4. Sanitization: Extracted data is not sanitized or filtered before being passed to the LLM.
- [COMMAND_EXECUTION]: Example scripts disable SSL certificate verification using ssl._create_unverified_context, which is a significant security regression that exposes data to interception.
Audit Metadata