agent-browser
Fail
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill documentation recommends downloading a setup script from https://cli.inference.sh. This domain belongs to the vendor of the tool.
- [REMOTE_CODE_EXECUTION]: The installation instructions utilize the curl | sh pattern to execute a remote shell script. While this is a common distribution method for CLI tools, it involves direct execution of remote code.
- [COMMAND_EXECUTION]: The skill requires the Bash tool with permission to run infsh. This allows the agent to interact with the system and external services through the command line. Additionally, the execute function allows running arbitrary JavaScript in the browser context.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8).
- Ingestion points: The skill retrieves and processes HTML and text data from arbitrary websites via the open, snapshot, and execute functions.
- Boundary markers: The skill templates do not provide delimiters or instructions to help the agent distinguish between webpage content and legitimate instructions.
- Capability inventory: The skill enables arbitrary JavaScript execution on web pages and can execute shell commands via the infsh tool.
- Sanitization: No sanitization is applied to the data extracted from the browser before it is presented to the agent, allowing malicious content on a webpage to potentially influence the agent's behavior.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
Audit Metadata