browser-automation-agent
Fail
Audited by Gen Agent Trust Hub on May 27, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill includes Node.js code snippets that use
child_process.execSyncto invoke the CLI tool with unsanitized template literals. This creates a critical command injection vulnerability if user-supplied inputs like URLs, element references, or form values contain shell metacharacters (e.g.,url = 'https://example.com; rm -rf /'). Evidence found in functionsbrowserCommand,openAndSnapshot, andfillFormin SKILL.md. - [DATA_EXFILTRATION]: The skill provides explicit commands to retrieve sensitive browser data, including
agent-browser cookies getandagent-browser storage get. These capabilities allow an agent (or a malicious actor influencing the agent) to harvest session tokens and authentication credentials from the browser environment. Evidence found in thebrowser_session_managementsection of SKILL.md. - [EXTERNAL_DOWNLOADS]: The documentation instructs the user to run
agent-browser install, which automatically downloads a Chromium binary from an external source. While common for browser automation tools, this introduces an unverified binary dependency into the execution environment. Evidence found in the installation instructions in SKILL.md. - [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it ingests untrusted data from the web via accessibility snapshots (
agent-browser snapshot) and text extraction (agent-browser text). - Ingestion points: Web page content and accessibility trees are read into the agent's context (SKILL.md).
- Boundary markers: The 'Agent prompt' section lacks boundary markers or instructions to ignore commands embedded in the processed web data.
- Capability inventory: The agent has access to shell execution (
execSync) and sensitive data access (cookies get). - Sanitization: There is no evidence of sanitization or filtering for the data retrieved from the browser before it is passed to the LLM or subsequent commands.
Recommendations
- AI detected serious security threats
Audit Metadata