agent-browser-core
Pass
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The documentation instructs users to install the
agent-browserpackage from the NPM registry. It recommends pinning specific versions and installing in dedicated environments to mitigate supply chain risks. - [COMMAND_EXECUTION]: The skill utilizes the
Bashtool to run CLI commands for web automation. It provides guidance on safe command sequences and operational guardrails for AI agents. - [REMOTE_CODE_EXECUTION]: The documentation describes the
evalcommand, which allows for arbitrary JavaScript execution within a browser session. This is correctly identified as a high-risk capability that should only be used with explicit human approval. - [PROMPT_INJECTION]: As a tool designed for web automation and snapshotting, the skill creates an attack surface for indirect prompt injection from untrusted web content.
- Ingestion points: Target URLs loaded via
openand element content captured viasnapshot(SKILL.md, agent-browser-workflows.md). - Boundary markers: The documentation suggests using structured snapshots and JSON output for deterministic parsing but does not define explicit delimiters for untrusted data.
- Capability inventory: The agent has full browser control (click, fill, select) and can perform filesystem writes via the
downloadcommand (references/agent-browser-command-map.md). - Sanitization: The skill explicitly recommends domain allowlisting, redacting tokens in logs, and avoiding file access unless required (references/agent-browser-safety.md).
Audit Metadata