agent-browser
Pass
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because its primary function is to ingest and process content from external, untrusted web pages via accessibility snapshots and text extraction. Maliciously crafted content on a website could attempt to redirect the agent's behavior.
- Ingestion points:
agent-browser snapshotandagent-browser get textas described inSKILL.mdand reference documentation. - Boundary markers: The skill documents an opt-in
--content-boundariesfeature inSKILL.mdto help the agent distinguish between tool output and untrusted page content. - Capability inventory: The skill enables navigation, element interaction, state persistence, local file access (
--allow-file-access), and JavaScript evaluation. - Sanitization: No automated content sanitization is described; it relies on boundary markers and agent interpretation.
- [COMMAND_EXECUTION]: The
agent-browser evalcommand, documented inSKILL.mdandreferences/commands.md, allows for the dynamic execution of JavaScript code within the browser context. This provides a powerful mechanism for complex automation that could be abused if the agent is misled by external content. - [EXTERNAL_DOWNLOADS]: The skill is configured to use
agent-browservianpxin theallowed-toolssection ofSKILL.md. This involves downloading the package from the NPM registry, which is a standard distribution method for this vendor's tools.
Audit Metadata