Browser
Warn
Audited by Gen Agent Trust Hub on Jun 30, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill implements dynamic loading of resources and configurations from a user-controlled path (
~/.claude/PAI/USER/SKILLCUSTOMIZATIONS/Browser/) to override default behavior at runtime. - [DATA_EXFILTRATION]: The skill manages sensitive authentication data stored in browser profiles at
~/.agent-browser/profiles/. While intrinsic to its purpose of authenticated automation, this access exposes session cookies and authentication state. - [PROMPT_INJECTION]: The Automate and ReviewStories workflows create an indirect prompt injection surface by ingesting external YAML and Markdown files and interpolating their content directly into prompts for sub-agents without sanitization or boundary delimiters. Ingestion points:
Stories/*.yamlandRecipes/*.mdfiles. Boundary markers: None identified in the prompt templates sent to sub-agents. Capability inventory: Subprocess execution viaagent-browser, local network operations viacurl, and file system logging. Sanitization: No escaping or validation of parameter values or file content is performed. - [COMMAND_EXECUTION]: Every workflow execution triggers a mandatory
curlcommand to a local endpoint (localhost:31337). This un-prompted network side-effect occurs immediately upon skill invocation. - [COMMAND_EXECUTION]: The skill utilizes
agent-browser evalwhich allows for the execution of arbitrary JavaScript within the context of the browser.
Audit Metadata