preview-testing
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) due to its core function of browsing external websites.\n
- Ingestion points: Uses
mcp__claude-in-chrome__read_page(accessibility tree),read_console_messages, andread_network_requests(SKILL.md) to ingest content from external Vercel Preview URLs.\n - Boundary markers: Absent. There are no instructions for the agent to distinguish between its own logic and instructions found on the target page.\n
- Capability inventory: The agent can perform
mcp__claude-in-chrome__computeractions (clicks, keyboard input) and execute shell commands vianpx playwright.\n - Sanitization: Absent. The agent is directed to 'Find interactive elements' and 'Click' based on unvalidated external content.\n- COMMAND_EXECUTION (MEDIUM): The skill executes shell commands which could be abused.\n
- Evidence: Uses
npx playwright testandnpm run test:e2e.\n - Risk: If the
BASE_URLparameter or target files are manipulated via external inputs, this could lead to arbitrary command execution on the host machine.\n- EXTERNAL_DOWNLOADS (LOW): The skill communicates with external Vercel deployments.\n - Evidence: Navigates to dynamically generated Vercel Preview URLs. While standard for the skill's purpose, it represents the primary attack vector for data ingestion.
Recommendations
- AI detected serious security threats
Audit Metadata