vercel-agent-browser
Warn
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs users to install the
agent-browserpackage from global registries (NPM, Cargo, Homebrew). It also utilizes anagent-browser installcommand which downloads external binaries (Chrome for Testing) at runtime. - [COMMAND_EXECUTION]: Provides high-privilege automation capabilities including
agent-browser evalfor arbitrary JavaScript execution andagent-browser batchfor multi-step command sequences. - [DATA_EXFILTRATION]: Demonstrates patterns for accessing sensitive local and environment data, such as uploading local files via
agent-browser upload, retrieving browser cookies/storage, and interpolating environment variables like${PASSWORD}into CLI commands. - [PROMPT_INJECTION]: Vulnerable to indirect prompt injection by design, as it retrieves and processes untrusted content from arbitrary websites.
- Ingestion points:
agent-browser snapshot,agent-browser get text, andagent-browser eval(reading DOM content) inSKILL.md. - Boundary markers: Absent; the skill does not define delimiters or provide instructions to ignore embedded commands in retrieved web data.
- Capability inventory: Includes file system access (
upload), network interception (network route), and JavaScript evaluation (eval). - Sanitization: No sanitization or validation of external content is mentioned before it is processed by the agent.
- [METADATA_POISONING]: The skill uses the name 'vercel-agent-browser', which may lead users to believe it is an official Vercel product, whereas the overview identifies the author as 'ara.so' (Aradotso).
Audit Metadata