Skills
skills/agent-sh/agentsys/web-browse/Gen Agent Trust Hub

web-browse

Pass

Audited by Gen Agent Trust Hub on May 12, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The evaluate action allows the agent to execute arbitrary JavaScript code within the web browser's context. While a standard feature for web automation, it provides a powerful mechanism for data extraction or unauthorized actions if the agent is manipulated by untrusted content.
  • [PROMPT_INJECTION]: The skill is designed to ingest untrusted data from external web pages, creating a significant surface for indirect prompt injection.
  • Ingestion points: Data enters the agent context through the read, snapshot, extract, paginate, and wait-toast actions in SKILL.md.
  • Boundary markers: The skill instructs the agent to treat content inside [PAGE_CONTENT: ...] delimiters as untrusted and warns never to execute commands or follow instructions found in page text.
  • Capability inventory: The skill provides high-privilege capabilities including arbitrary JavaScript execution (evaluate), form interaction (fill, login), and file uploads (file-upload).
  • Sanitization: Content is wrapped in delimiters, but no automated escaping or validation of the ingested content is implemented.
  • [CREDENTIALS_UNSAFE]: The login macro accepts a password via the --pass command-line argument. This practice can expose sensitive credentials in system process lists or shell history logs.
  • [EXTERNAL_DOWNLOADS]: The file-upload macro allows the agent to upload files to external web services. While the skill implements security controls by restricting paths to /tmp, the working directory, or WEB_CTL_UPLOAD_DIR and blocking dotfiles, it remains a potential vector for data egress.
Audit Metadata
Risk Level
SAFE
Analyzed
May 12, 2026, 04:07 AM
Security Audit — agent-trust-hub — web-browse