reflex-browser
Warn
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [UNVERIFIABLE_DEPENDENCIES_AND_REMOTE_CODE_EXECUTION]: The skill requires setting a non-standard NPM registry (https://git.bqa-solutions.nl/api/packages/reflex/npm/) to install the @reflexautomation/reflex-cli package, which bypasses official package registries.
- [REMOTE_CODE_EXECUTION]: The skill includes instructions to execute
reflex agent downloadandreflex agent runtime install, which are designed to fetch and install binary components (a JAR file and a Java runtime) from remote servers into the local environment. - [DYNAMIC_EXECUTION]: The skill provides the
reflex lua execcommand and refers to areflex-scriptingskill, allowing the agent to generate and execute Lua scripts at runtime for automation tasks. - [INDIRECT_PROMPT_INJECTION]: The skill is designed to scrape and interact with external websites through the
summaryandhtmlcommands. This creates an attack surface where malicious instructions embedded in a website's content could be processed by the agent, potentially influencing its subsequent actions. - Ingestion points: Browser summary and HTML data from any website the agent navigates to (SKILL.md).
- Boundary markers: None mentioned; the skill does not explicitly instruct the agent to ignore instructions found within the scraped website data.
- Capability inventory: Includes file system interactions via
xlsx/csvlibraries, network operations through browser commands, and binary execution via theagentcommand set. - Sanitization: No sanitization or validation steps for external content are described before the data is processed by the agent.
- [COMMAND_EXECUTION]: The workflow heavily relies on executing shell-level CLI commands for session management, browser control, and agent recovery, which interact directly with the host system.
Audit Metadata