setup-browser-cookies
Fail
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill fetches and executes an installation script from bun.sh via
curl | bash. While bun.sh is a well-known and established service for JavaScript runtimes, executing remote scripts directly in the shell is a high-privilege operation. - [DATA_EXFILTRATION]: The skill's primary function is to access sensitive browser cookie databases (Chrome, Brave, Edge, etc.) and decrypt them. This process involves reading local application data and may trigger macOS Keychain prompts to retrieve the necessary decryption keys, crossing significant security boundaries.
- [COMMAND_EXECUTION]: Executes local scripts and binaries such as
./setupandcookie-import-browser. These tools perform low-level system operations to detect browsers and extract session data. - [PROMPT_INJECTION]: The skill instructions explicitly direct the agent to treat local files like
AGENTS.md,TODO.md, andTODOS.mdas sources of instructions. This creates a vulnerability to indirect prompt injection if an attacker can commit malicious instructions to these files within a repository. - Ingestion points:
AGENTS.md,TODO.md,TODOS.md(SKILL.md). - Boundary markers: None identified; instructions are treated as authoritative sources.
- Capability inventory: Shell execution (
bash), local script execution (./setup), and credential extraction (cookie decryption). - Sanitization: No sanitization or validation of the content within the referenced markdown files is mentioned.
Recommendations
- HIGH: Downloads and executes remote code from: https://bun.sh/install - DO NOT USE without thorough review
Audit Metadata