browser-automation-agent

Fail

Audited by Gen Agent Trust Hub on May 27, 2026

Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill includes Node.js code snippets that use child_process.execSync to invoke the CLI tool with unsanitized template literals. This creates a critical command injection vulnerability if user-supplied inputs like URLs, element references, or form values contain shell metacharacters (e.g., url = 'https://example.com; rm -rf /'). Evidence found in functions browserCommand, openAndSnapshot, and fillForm in SKILL.md.
  • [DATA_EXFILTRATION]: The skill provides explicit commands to retrieve sensitive browser data, including agent-browser cookies get and agent-browser storage get. These capabilities allow an agent (or a malicious actor influencing the agent) to harvest session tokens and authentication credentials from the browser environment. Evidence found in the browser_session_management section of SKILL.md.
  • [EXTERNAL_DOWNLOADS]: The documentation instructs the user to run agent-browser install, which automatically downloads a Chromium binary from an external source. While common for browser automation tools, this introduces an unverified binary dependency into the execution environment. Evidence found in the installation instructions in SKILL.md.
  • [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it ingests untrusted data from the web via accessibility snapshots (agent-browser snapshot) and text extraction (agent-browser text).
  • Ingestion points: Web page content and accessibility trees are read into the agent's context (SKILL.md).
  • Boundary markers: The 'Agent prompt' section lacks boundary markers or instructions to ignore commands embedded in the processed web data.
  • Capability inventory: The agent has access to shell execution (execSync) and sensitive data access (cookies get).
  • Sanitization: There is no evidence of sanitization or filtering for the data retrieved from the browser before it is passed to the LLM or subsequent commands.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 27, 2026, 07:58 AM
Security Audit — agent-trust-hub — browser-automation-agent