agent-browser
Warn
Audited by Gen Agent Trust Hub on Jun 14, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [PROMPT_INJECTION]: The skill is highly susceptible to Indirect Prompt Injection. It extracts information from arbitrary web pages (via
snapshot,get text,get html,console, anderrors) and feeds it into the agent's context. A malicious website can embed hidden instructions within HTML, accessibility labels, or console logs to hijack the agent's behavior. - Ingestion points: SKILL.md documentation for
snapshot,get text,get html,get title,get url,console, anderrors. - Boundary markers: None mentioned; instructions do not advise the agent to ignore or delimit content from the browser.
- Capability inventory: Full browser control including
eval,fill,click,upload,network route, andcookies set. - Sanitization: No sanitization or validation of the extracted web content is performed before processing.
- [DATA_EXFILTRATION]: The skill provides commands to access sensitive session information, specifically
agent-browser cookies,agent-browser storage local, andagent-browser state save. In an adversarial scenario, these could be used to harvest authentication tokens, session IDs, or private user data stored in the browser. - [REMOTE_CODE_EXECUTION]: The
agent-browser evalcommand allows for the execution of arbitrary JavaScript within the browser context. This capability can be abused to perform cross-site scripting (XSS) attacks, steal CSRF tokens, or interact with internal authenticated APIs accessible via the browser. - [COMMAND_EXECUTION]: The skill provides an extensive CLI interface for browser manipulation, including file uploads (
upload) and data capture (screenshot,pdf,record). These tools can be used to exfiltrate visual information or interact with local file systems if the browser is navigated tofile://URLs. - [CREDENTIALS_UNSAFE]: The skill includes commands such as
agent-browser set credentials(for HTTP Basic Auth) andagent-browser set headerswhich may lead to the agent handling or exposing plaintext credentials within its command history or logs.
Audit Metadata