agent-browser
Pass
Audited by Gen Agent Trust Hub on Apr 24, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill enables the execution of arbitrary JavaScript within the browser context via the
agent-browser evalcommand, as documented inreferences/commands.md. This allows the agent to perform complex operations on web pages but also provides a mechanism for running untrusted code if the agent is directed to malicious sites. - [DATA_EXFILTRATION]: The skill manages sensitive browser session data, including cookies and localStorage. Documentation in
references/authentication.mdandtemplates/authenticated-session.shdescribes patterns for saving this state to files (e.g.,auth-state.json). While the tool offers an encrypted 'auth vault' for credentials, the exposure of session tokens in local files represents a potential data exposure risk if not handled carefully. - [PROMPT_INJECTION]: As a web-browsing tool, the skill is inherently exposed to indirect prompt injection. Malicious instructions embedded in the HTML or text of a processed website could attempt to influence the agent's behavior.
- Ingestion points: Web content processed via snapshots (
agent-browser snapshot), text extraction (agent-browser get text), and screenshots as mentioned inSKILL.mdandtemplates/capture-workflow.sh. - Boundary markers: The skill provides an opt-in feature,
AGENT_BROWSER_CONTENT_BOUNDARIES, described inSKILL.md, which wraps tool output in markers to help the agent distinguish page content from instructions. - Capability inventory: The agent can click, fill forms, upload files, and execute JavaScript across all scripts, providing a broad set of actions that could be triggered by injected instructions.
- Sanitization: No mandatory sanitization is performed on ingested web content; the system relies on the agent's own filters or the optional boundary markers.
Audit Metadata