agent-browser

Warn

Audited by Gen Agent Trust Hub on Jun 14, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
  • [PROMPT_INJECTION]: The skill is highly susceptible to Indirect Prompt Injection. It extracts information from arbitrary web pages (via snapshot, get text, get html, console, and errors) and feeds it into the agent's context. A malicious website can embed hidden instructions within HTML, accessibility labels, or console logs to hijack the agent's behavior.
  • Ingestion points: SKILL.md documentation for snapshot, get text, get html, get title, get url, console, and errors.
  • Boundary markers: None mentioned; instructions do not advise the agent to ignore or delimit content from the browser.
  • Capability inventory: Full browser control including eval, fill, click, upload, network route, and cookies set.
  • Sanitization: No sanitization or validation of the extracted web content is performed before processing.
  • [DATA_EXFILTRATION]: The skill provides commands to access sensitive session information, specifically agent-browser cookies, agent-browser storage local, and agent-browser state save. In an adversarial scenario, these could be used to harvest authentication tokens, session IDs, or private user data stored in the browser.
  • [REMOTE_CODE_EXECUTION]: The agent-browser eval command allows for the execution of arbitrary JavaScript within the browser context. This capability can be abused to perform cross-site scripting (XSS) attacks, steal CSRF tokens, or interact with internal authenticated APIs accessible via the browser.
  • [COMMAND_EXECUTION]: The skill provides an extensive CLI interface for browser manipulation, including file uploads (upload) and data capture (screenshot, pdf, record). These tools can be used to exfiltrate visual information or interact with local file systems if the browser is navigated to file:// URLs.
  • [CREDENTIALS_UNSAFE]: The skill includes commands such as agent-browser set credentials (for HTTP Basic Auth) and agent-browser set headers which may lead to the agent handling or exposing plaintext credentials within its command history or logs.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 14, 2026, 09:01 AM
Security Audit — agent-trust-hub — agent-browser