bdg
Warn
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill exposes commands like
bdg dom evalandbdg cdp Runtime.evaluate, which execute arbitrary JavaScript strings within the browser instance. This allows for dynamic code execution using data potentially sourced from untrusted web pages. - [DATA_EXFILTRATION]: The tool can retrieve sensitive session data, such as browser cookies, using the
bdg cdp Network.getCookiescommand. Additionally, it allows capturing and saving page screenshots to the local filesystem. - [COMMAND_EXECUTION]: The skill enables the use of security-reducing browser flags like
--disable-web-securityand--ignore-certificate-errors. These configurations can be used to bypass Same-Origin Policy (SOP) and other browser-level protections. - [PROMPT_INJECTION]: The skill lacks sanitization and boundary markers when ingesting untrusted web content via URLs. This creates a surface for indirect prompt injection, where malicious DOM content can influence agent behavior or exploit the skill's capabilities (JS execution, file writes, and network control).
- [COMMAND_EXECUTION]: The skill interacts with the host system by executing the
bdgCLI to manage Chrome processes and browser sessions.
Audit Metadata