agent-browser

Pass

Audited by Gen Agent Trust Hub on May 20, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because its primary function is to ingest and process content from external, untrusted web pages via accessibility snapshots and text extraction. Maliciously crafted content on a website could attempt to redirect the agent's behavior.
  • Ingestion points: agent-browser snapshot and agent-browser get text as described in SKILL.md and reference documentation.
  • Boundary markers: The skill documents an opt-in --content-boundaries feature in SKILL.md to help the agent distinguish between tool output and untrusted page content.
  • Capability inventory: The skill enables navigation, element interaction, state persistence, local file access (--allow-file-access), and JavaScript evaluation.
  • Sanitization: No automated content sanitization is described; it relies on boundary markers and agent interpretation.
  • [COMMAND_EXECUTION]: The agent-browser eval command, documented in SKILL.md and references/commands.md, allows for the dynamic execution of JavaScript code within the browser context. This provides a powerful mechanism for complex automation that could be abused if the agent is misled by external content.
  • [EXTERNAL_DOWNLOADS]: The skill is configured to use agent-browser via npx in the allowed-tools section of SKILL.md. This involves downloading the package from the NPM registry, which is a standard distribution method for this vendor's tools.
Audit Metadata
Risk Level
SAFE
Analyzed
May 20, 2026, 08:37 AM
Security Audit — agent-trust-hub — agent-browser