browser-max-automation
Pass
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it retrieves and processes content from external, untrusted websites.
- Ingestion points: Untrusted data enters the agent context through
browser_snapshot,browser_take_screenshot, anddocument.body.innerTextextraction. - Boundary markers: The instructions do not specify any delimiters or safety prompts to prevent the agent from following instructions embedded within the analyzed web content.
- Capability inventory: The skill provides the agent with high-impact capabilities, including clicking elements (
browser_click), typing into forms (browser_type), and executing arbitrary JavaScript in the browser context (browser_evaluate). - Sanitization: No sanitization, filtering, or validation is performed on the ingested web content before it is processed by the agent.
- [EXTERNAL_DOWNLOADS]: The skill configuration utilizes
npxto fetch and run the latest version of the Playwright MCP server from the official NPM registry. - [COMMAND_EXECUTION]: The documentation includes PowerShell commands for launching browser instances with remote debugging enabled, managing network connections, and configuring environment variables like
PYTHONIOENCODING.
Audit Metadata