Agent Browser
Pass
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill provides instructions for installing the
agent-browserCLI globally via npm and provides steps to build the tool from source using a public repository from Vercel Labs. - [REMOTE_CODE_EXECUTION]: The
agent-browser evalcommand allows for the dynamic execution of arbitrary JavaScript within the browser's context. This is a core feature for automation but poses a risk if the agent is manipulated into executing code provided by a malicious website. - [DATA_EXFILTRATION]: The skill includes commands to access and save browser session data, such as
agent-browser cookiesandagent-browser state save auth.json. These features handle sensitive session tokens and authentication data which could be targeted for exfiltration. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it allows an agent to ingest and act upon data from arbitrary external websites.
- Ingestion points: External content is retrieved using
agent-browser snapshot,agent-browser get text, andagent-browser get htmlacross various commands in SKILL.md. - Boundary markers: Absent; the skill does not instruct the agent to use delimiters or specific safety instructions when processing retrieved web content.
- Capability inventory: High; the agent can interact with pages (
click,fill), execute script (eval), and manage authentication state (cookies,state). - Sanitization: Absent; no content filtering or validation mechanisms are described for data retrieved from web pages.
- [CREDENTIALS_UNSAFE]: The command
agent-browser set credentialsis used to provide HTTP basic authentication details. While a standard feature, it involves the handling of plain-text credentials within the command execution flow.
Audit Metadata