Browser Automation Expert
Warn
Audited by Gen Agent Trust Hub on May 5, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The utility script
scripts/with_server.pyis designed to execute arbitrary shell commands to start servers and run automation tasks. It usessubprocess.Popen(shell=True)andsubprocess.run()on arguments passed directly to the script, which could be exploited if an attacker can influence the command-line arguments. - Evidence: File
scripts/with_server.pyusessubprocess.Popen(server['cmd'], shell=True)andsubprocess.run(args.command)where both variables are derived from user-supplied arguments. - [DATA_EXFILTRATION]: The example script
examples/static_html_automation.pydemonstrates the ability to automate interactions with local files using thefile://protocol. This capability can be misused to read sensitive system files if the agent is directed to an unintended path. - Evidence: File
examples/static_html_automation.py:file_url = f'file://{html_file_path}'followed bypage.goto(file_url). - [PROMPT_INJECTION]: The skill is intended to scrape and process content from external websites, which serves as an ingestion point for untrusted data. This makes the agent vulnerable to indirect prompt injection attacks where instructions hidden on a webpage could influence the agent's behavior.
- Ingestion Points:
examples/element_discovery.pyandexamples/console_logging.pynavigate to external URLs and extract text or console logs. - Boundary Markers: None identified; the scripts do not use delimiters or instructions to ignore embedded commands in the scraped content.
- Capability Inventory: The agent has the ability to execute shell commands via
scripts/with_server.pyand read/write local files. - Sanitization: No sanitization or validation is performed on the data extracted from the browser before it is processed or printed.
Audit Metadata