camofox-browser
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- External Downloads (MEDIUM): The
scripts/setup.shfile installs the@askjo/camofox-browserpackage from the npm registry. The author@askjois not on the list of trusted organizations or repositories provided in the security guidelines.\n- Remote Code Execution (MEDIUM): Following installation, thescripts/setup.shscript automatically executes the package's entry point (node server.js) to start a local server. This pattern constitutes executing code from an unverified external source.\n- Indirect Prompt Injection (LOW): The skill provides an interface to ingest untrusted web data and perform actions based on it, creating an injection surface.\n - Ingestion points: Accessibility snapshots of websites are ingested via the
camofox snapshotcommand (referenced inSKILL.mdandreferences/api-reference.md).\n - Boundary markers: Absent; the snapshots are returned as plain text without delimiters or instructions to ignore embedded commands.\n
- Capability inventory: The skill possesses high-interaction capabilities including
click,type, and navigation commands (open,navigate).\n - Sanitization: None; the accessibility tree is returned to the agent without filtering or sanitization of potentially malicious instructions embedded in the page metadata or content.
Audit Metadata