agent-browser
Warn
Audited by Gen Agent Trust Hub on Jul 7, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The
executefunction allows the agent to run arbitrary JavaScript code within the browser context. This is a core capability for automation but also provides a powerful mechanism for data manipulation or extraction that could be abused if the agent's instructions are compromised. - [DATA_EXFILTRATION]: The skill is explicitly designed for scraping and content extraction. It can be used to retrieve sensitive data from websites, including those requiring authentication. The
screenshotandexecutefunctions can be used to capture and export page content to the agent's context or external files. - [PROMPT_INJECTION]: As a web-browsing tool, the skill is susceptible to Indirect Prompt Injection. Content retrieved from websites via the
openandsnapshotfunctions is processed by the agent, potentially allowing malicious actors to embed instructions on web pages that override the agent's original goals. - Ingestion points: Web content enters the context via
open,snapshot, andexecutefunctions across all templates and references. - Boundary markers: No specific boundary markers or 'ignore' instructions for web-sourced content are defined in the provided files.
- Capability inventory: The skill can execute shell commands (
belt), perform browser interactions (click, fill), and execute arbitrary JS. - Sanitization: No sanitization of extracted HTML text or element descriptions is implemented before passing the data to the agent.
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the
belt-sh/clivianpxand references the use ofoathtoolfor TOTP generation in authentication flows. These represent external tool dependencies that must be managed securely. - [CREDENTIALS_UNSAFE]: The
openandinteractfunctions support passing proxy and site credentials (passwords, TOTP secrets) as plaintext JSON parameters. While the documentation warns against hardcoding these, the skill's architecture requires them to be passed through the command line or environment variables.
Audit Metadata