browser-max-automation

Pass

Audited by Gen Agent Trust Hub on May 20, 2026

Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it retrieves and processes content from external, untrusted websites.
  • Ingestion points: Untrusted data enters the agent context through browser_snapshot, browser_take_screenshot, and document.body.innerText extraction.
  • Boundary markers: The instructions do not specify any delimiters or safety prompts to prevent the agent from following instructions embedded within the analyzed web content.
  • Capability inventory: The skill provides the agent with high-impact capabilities, including clicking elements (browser_click), typing into forms (browser_type), and executing arbitrary JavaScript in the browser context (browser_evaluate).
  • Sanitization: No sanitization, filtering, or validation is performed on the ingested web content before it is processed by the agent.
  • [EXTERNAL_DOWNLOADS]: The skill configuration utilizes npx to fetch and run the latest version of the Playwright MCP server from the official NPM registry.
  • [COMMAND_EXECUTION]: The documentation includes PowerShell commands for launching browser instances with remote debugging enabled, managing network connections, and configuring environment variables like PYTHONIOENCODING.
Audit Metadata
Risk Level
SAFE
Analyzed
May 20, 2026, 06:41 PM
Security Audit — agent-trust-hub — browser-max-automation