agent-browser
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the agent-browser CLI to perform automation tasks. It includes high-risk commands such as 'agent-browser eval' and 'agent-browser wait --fn', which execute arbitrary JavaScript within the web page context.
- [DATA_EXFILTRATION]: Several commands allow for the retrieval and potential exposure of sensitive session data, including 'agent-browser cookies', 'agent-browser storage local', and 'agent-browser state save auth.json'. These capabilities can be used to extract authentication tokens or other private information from a browser session.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it is designed to ingest and process untrusted content from the web while possessing high-impact system capabilities.
- Ingestion points: Untrusted data enters the agent context through 'agent-browser open', 'snapshot', and various 'get' commands defined in SKILL.md.
- Boundary markers: There are no markers or instructions provided to distinguish between valid task instructions and potentially malicious content found on web pages.
- Capability inventory: The skill enables file writing (screenshots, PDFs, session states, video recordings, and traces), network routing/interception, and JavaScript execution ('eval').
- Sanitization: No mechanisms for sanitizing, escaping, or validating the content retrieved from web pages are specified in the instructions.
Audit Metadata