chrome-automation
Pass
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is centered around executing shell commands via the
agent-browserCLI. These commands control the user's browser through the Chrome DevTools Protocol, performing actions such as listing tabs, navigating URLs, and interacting with page elements. - [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection because it ingests untrusted data from live websites via the
snapshot -iandget text bodycommands. Malicious instructions embedded in web content could theoretically influence the agent's behavior. - Ingestion points: Browser content is retrieved through
agent-browser snapshot -iandagent-browser get text body(SKILL.md). - Boundary markers: Explicit boundary markers for external web content are absent in the prompt templates.
- Capability inventory: The agent has extensive capabilities including shell command execution (
agent-browser), browser-based JavaScript execution (eval), and high-level interaction (click,fill,open). - Sanitization: The skill includes human-in-the-loop requirements, such as 'Confirm with the user before submitting/publishing' and instructions to stop if login or CAPTCHAs are encountered.
- [REMOTE_CODE_EXECUTION]: The skill utilizes the
evalcommand of theagent-browserutility to execute JavaScript within the browser's main-frame context. While this is a functional requirement for browser automation and data extraction, it allows for arbitrary code execution in the browser context which should be monitored for misuse. - [EXTERNAL_DOWNLOADS]: The setup instructions recommend installing the
agent-browserutility from an official registry. This tool originates from a well-known development organization and is consistent with the skill's stated purpose.
Audit Metadata