Security Audit
claude-chrome
github.com/Mrc220/agent_flywheel_clawdbot_skills_and_integrationsTrust Assessment
claude-chrome received a trust score of 48/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 0 critical, 3 high, 1 medium, and 0 low severity. Key findings include Unpinned `npx` dependency for `chrome-devtools-mcp`, Arbitrary JavaScript execution via `evaluate_script` tool, Broad browser access and potential local file system write capabilities.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on June 1, 2026 (commit 6a655802). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned `npx` dependency for `chrome-devtools-mcp` The installation instructions for the 'Chrome DevTools MCP' option use `npx chrome-devtools-mcp@latest`. Using `@latest` means the dependency version is unpinned. If a malicious version of `chrome-devtools-mcp` is published to the npm registry, it could be automatically downloaded and executed, leading to arbitrary command execution on the host system. Pin the dependency to a specific, known-good version (e.g., `npx chrome-devtools-mcp@1.2.3`) to prevent automatic execution of potentially malicious updates. Regularly audit and update the pinned version. | Static | SKILL.md:150 | |
| HIGH | Arbitrary JavaScript execution via `evaluate_script` tool The `evaluate_script` tool allows the LLM to execute arbitrary JavaScript code within the context of the user's browser. A compromised or maliciously instructed LLM could use this to perform actions like data exfiltration, session hijacking, or defacement within the browser's sandbox. Implement strict input validation and sanitization for any code passed to `evaluate_script`. Consider sandboxing the execution environment further or limiting the scope of available JavaScript APIs if possible. Ensure user confirmation for sensitive script executions. | Static | SKILL.md:183 | |
| HIGH | Broad browser access and potential local file system write capabilities The skill grants extensive control over the user's Chrome browser, including access to authenticated sessions, reading DOM content, monitoring network requests, and executing arbitrary JavaScript. Furthermore, examples like 'Save as CSV' and 'save it to a file' imply the ability to write data to the local file system. This broad access, while central to the skill's function, poses a significant risk for data exfiltration and unauthorized actions if the LLM is compromised or misused. Implement robust user confirmation mechanisms for all high-risk actions, especially those involving data extraction, writing to local files, or interacting with sensitive authenticated sites. Clearly document the scope of permissions and potential risks to users. Consider implementing a whitelist for allowed file system paths if local file writes are necessary. | Static | SKILL.md:68 | |
| MEDIUM | Access to authenticated browser sessions The skill operates within the user's existing authenticated Chrome browser session ('Uses your browser's login state - no re-authentication needed'). This means the LLM has access to all cookies, local storage, and session data for sites the user is logged into. Combined with the ability to read page content and monitor network requests, this creates a risk for credential harvesting if the LLM is compromised or instructed to extract sensitive session information. While inherent to the skill's design, users should be made aware of this risk. The documentation mentions 'Site-level permissions control' and 'High-risk actions require confirmation,' which are good mitigations. Ensure these mitigations are robust and clearly communicated. | Static | SKILL.md:116 |
Scan History
Embed Code
[](https://skillshield.io/report/02c57399550e7975)
Powered by SkillShield