dev-browser
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- REMOTE_CODE_EXECUTION (CRITICAL): The skill instructs the agent to execute arbitrary TypeScript code via
npx tsx, which provides a direct path for the LLM to run malicious shell commands on the host machine.\n- EXTERNAL_DOWNLOADS (HIGH): The skill references an untrusted GitHub repository (SawyerHood/dev-browser) for downloading software and runsnpm i, exposing the system to potential malware from a non-whitelisted source.\n- DATA_EXFILTRATION (HIGH): Through 'Extension Mode', the skill accesses the user's live, authenticated browser sessions. This allows for the exfiltration of sensitive data, such as session cookies or private information from logged-in websites.\n- COMMAND_EXECUTION (HIGH): The workflow requires the agent to run background processes and interactive scripts, providing extensive control over the local environment without explicit permission boundaries.\n- PROMPT_INJECTION (HIGH): The skill is vulnerable to Indirect Prompt Injection. Ingestion points:page.gotoandgetAISnapshot(SKILL.md). Boundary markers: Absent. Capability inventory: Arbitrary script execution vianpx tsxand browser manipulation (SKILL.md). Sanitization: Absent. This allows external content to potentially hijack the agent's actions and misuse its high-tier capabilities.
Recommendations
- AI detected serious security threats
Audit Metadata