agent-browser
Warn
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: MEDIUMPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is inherently susceptible to indirect prompt injection because its primary function is to ingest and process untrusted data from external websites. An attacker could embed malicious instructions in a web page that the agent then parses and follows.
- Ingestion points:
agent-browser open,agent-browser snapshot,agent-browser get text(SKILL.md) - Boundary markers: None identified in the provided instructions to differentiate between user instructions and web content.
- Capability inventory: The tool can click elements, fill forms, execute JavaScript, save/load session states, and upload files (SKILL.md).
- Sanitization: No explicit sanitization or filtering of web content is described before processing.
- [DATA_EXFILTRATION]: The skill documents and enables the use of the
file://protocol combined with the--allow-file-accessflag. This allows the agent to read local system files (such as PDFs and HTML documents) into the browser context. If an agent is misled by a malicious website or instruction, this capability could be used to expose sensitive local data. - [COMMAND_EXECUTION]: The skill provides an
evalcommand that allows the execution of arbitrary JavaScript within the browser's context. This capability can be used to extract sensitive data from the DOM, manipulate web application logic, or perform actions on behalf of a logged-in user. - [EXTERNAL_DOWNLOADS]: The skill includes a setup command
agent-browser installwhich downloads the Chromium browser and potentially system-level dependencies. It also references the installation of the third-partyappiumpackage for iOS automation.
Audit Metadata