web-browser
Warn
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The eval.js script allows for the execution of arbitrary JavaScript within the browser context using new AsyncFunction. This allows the agent to interact with and extract data from visited pages.
- COMMAND_EXECUTION (LOW): The bench-all.js and bench-eval.js scripts use spawnSync to execute local tool scripts like nav.js and eval.js.
- DATA_EXFILTRATION (MEDIUM): Documentation in SKILL.md describes a profile-copying feature for start.js using rsync to duplicate user Chrome data including sensitive PII and session cookies.
- PROMPT_INJECTION (LOW): Category 8: Indirect Prompt Injection. The skill is susceptible to malicious instructions embedded in web content. Ingestion points: nav.js, eval.js, pick.js. Boundary markers: Absent. Capability inventory: spawnSync, puppeteer, screenshot.js. Sanitization: None.
- EXTERNAL_DOWNLOADS (LOW): The documentation suggests commands involving an external Homebrew tap (tkersey/tap/lift) for verifying tool dependencies.
Audit Metadata