Skills
skills/flpbalada/my-opencode-config/agent-browser/Gen Agent Trust Hub

agent-browser

Warn

Audited by Gen Agent Trust Hub on Apr 17, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The skill provides tools for reading sensitive session information, including cookies and local storage, and saving them to local files using agent-browser state save. By default, these state files contain session tokens in plaintext. Additionally, the tool provides access to the system clipboard via agent-browser clipboard read and can be configured to allow the browser to access local files using the --allow-file-access flag.
  • [COMMAND_EXECUTION]: The agent-browser eval command allows for the execution of arbitrary JavaScript code within the browser context. This capability can be used to perform complex interactions or potentially exfiltrate data from web pages. The agent-browser batch command also allows executing a sequence of commands from a JSON array provided via stdin or a file.
  • [PROMPT_INJECTION]: As a tool designed to ingest and process content from any website, it is highly susceptible to indirect prompt injection. Malicious instructions embedded in a web page's text, HTML, or metadata could influence the agent's behavior. The skill documentation identifies this risk and suggests using the opt-in AGENT_BROWSER_CONTENT_BOUNDARIES feature to mitigate it.
  • Ingestion points: Web page content accessed via agent-browser open, snapshot, and get text/html commands.
  • Boundary markers: Supports opt-in markers via AGENT_BROWSER_CONTENT_BOUNDARIES which wraps page content in nonces and origin labels.
  • Capability inventory: Extensive capabilities including network operations, file system writes (state, screenshots, PDFs, logs), and clipboard access.
  • Sanitization: Provides optional AGENT_BROWSER_ACTION_POLICY for gating destructive actions and AGENT_BROWSER_ALLOWED_DOMAINS for limiting navigation.
  • [EXTERNAL_DOWNLOADS]: The skill requires the installation of the agent-browser package and includes commands for downloading browser binaries (agent-browser install) and upgrading the tool (agent-browser upgrade).
  • [CREDENTIALS_UNSAFE]: While the skill encourages using environment variables for credentials, it also documents workflows for saving passwords to a vault or passing them via stdin (agent-browser auth save), which could lead to sensitive information residing in memory or temporary configurations if not managed correctly.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 17, 2026, 01:58 AM
Security Audit — agent-trust-hub — agent-browser