chrome-automation
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the
agent-browserCLI to automate interactions with the user's Chrome instance. This includes commands for navigation (open), element manipulation (click,fill), and executing JavaScript (eval) to extract or interact with page content as specified inSKILL.md. - [EXTERNAL_DOWNLOADS]: The skill setup guide in
references/agent-browser-setup.mdinstructs the user to install theagent-browsertool from the official npm registry. Because this package is maintained by Vercel Labs (a trusted organization), this reference is considered safe. - [PROMPT_INJECTION]: The skill possesses an attack surface for indirect prompt injection because it reads and processes data from external, untrusted web pages to determine next steps in its automation workflows.
- Ingestion points: Page element snapshots (
snapshot -i), full-page text extraction (get text body), and external recording files (recording.json) processed inSKILL.md. - Boundary markers: Absent. There are no instructions to use specific delimiters or to disregard instructions found within the data retrieved from pages.
- Capability inventory: The skill can execute local CLI commands via a subprocess and run JavaScript in the browser's main frame, providing a significant capability tier for potentially injected instructions.
- Sanitization: There is no evidence of sanitization or filtering of external content before it is processed by the agent.
Audit Metadata