agent-browser
Warn
Audited by Gen Agent Trust Hub on May 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the
agent-browserCLI to interact with the system and browser environment. It includes several commands that perform file system writes, such asagent-browser screenshot path.png,agent-browser pdf output.pdf,agent-browser record start, andagent-browser state save auth.json. - [DATA_EXFILTRATION]: The skill includes high-risk commands for accessing sensitive user data, specifically
agent-browser cookiesandagent-browser storage. These commands allow the extraction of active session tokens and private storage data from the browser, which could be exfiltrated if the agent is manipulated. - [REMOTE_CODE_EXECUTION]: The
agent-browser evalcommand enables the execution of arbitrary JavaScript code within the context of the current web page. This allows for dynamic execution that could be abused to perform actions on behalf of the user or bypass security controls within the browser. - [PROMPT_INJECTION]: The skill has a high exposure to indirect prompt injection (Category 8) due to its core function of processing untrusted web content.
- Ingestion points: Data enters the agent's context through
agent-browser open,agent-browser snapshot, and variousagent-browser getcommands. - Boundary markers: There are no instructions or delimiters defined to help the agent distinguish between its own system instructions and potentially malicious instructions embedded in the web pages it visits.
- Capability inventory: The skill provides a wide range of powerful tools, including cookie retrieval, file system writing, and JavaScript execution, which could be leveraged by an indirect injection attack.
- Sanitization: The documentation provides no guidance on sanitizing or validating information retrieved from external URLs before processing.
Audit Metadata