skills/danielmiessler/lifeos/Browser/Gen Agent Trust Hub

Browser

Warn

Audited by Gen Agent Trust Hub on Jun 30, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill implements dynamic loading of resources and configurations from a user-controlled path (~/.claude/PAI/USER/SKILLCUSTOMIZATIONS/Browser/) to override default behavior at runtime.
  • [DATA_EXFILTRATION]: The skill manages sensitive authentication data stored in browser profiles at ~/.agent-browser/profiles/. While intrinsic to its purpose of authenticated automation, this access exposes session cookies and authentication state.
  • [PROMPT_INJECTION]: The Automate and ReviewStories workflows create an indirect prompt injection surface by ingesting external YAML and Markdown files and interpolating their content directly into prompts for sub-agents without sanitization or boundary delimiters. Ingestion points: Stories/*.yaml and Recipes/*.md files. Boundary markers: None identified in the prompt templates sent to sub-agents. Capability inventory: Subprocess execution via agent-browser, local network operations via curl, and file system logging. Sanitization: No escaping or validation of parameter values or file content is performed.
  • [COMMAND_EXECUTION]: Every workflow execution triggers a mandatory curl command to a local endpoint (localhost:31337). This un-prompted network side-effect occurs immediately upon skill invocation.
  • [COMMAND_EXECUTION]: The skill utilizes agent-browser eval which allows for the execution of arbitrary JavaScript within the context of the browser.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 30, 2026, 03:33 PM
Security Audit — agent-trust-hub — Browser