browser
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill allows the execution of arbitrary JavaScript code in a browser session via the playwriter -e argument and the exec:browser tool pathway. While this is the intended purpose of the skill, it creates a surface for dynamic code execution. Evidence found in the navigation and interaction examples in SKILL.md.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from the web. Ingestion points: Web content enters the agent context through page.goto, snapshot, and screenshotWithAccessibilityLabels commands in SKILL.md. Boundary markers: There are no specified delimiters or 'ignore' instructions to distinguish between trusted system prompts and untrusted website data. Capability inventory: The agent's access to the Bash tool through restricted commands increases the potential impact if the agent follows malicious instructions from a site. Sanitization: No evidence of sanitization or filtering of website content was found in the skill definition.
Audit Metadata