Skills
skills/halt-catch-fire/skills/agent-browser/Gen Agent Trust Hub

agent-browser

Pass

Audited by Gen Agent Trust Hub on Jun 19, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection because it ingests and processes untrusted content from external websites.
  • Ingestion points: Web page content, interactive element descriptions, and text extraction are performed via the open, snapshot, and execute functions across various files.
  • Boundary markers: The provided templates and instructions do not implement explicit boundary markers or "ignore" instructions to prevent the agent from following directions embedded in the web content.
  • Capability inventory: The skill possesses significant capabilities, including arbitrary JavaScript execution (execute), form interaction, and file uploads.
  • Sanitization: There is no evidence of sanitization or filtering of the fetched DOM or text content before it is presented to the agent context.
  • [COMMAND_EXECUTION]: The skill exposes an execute function (detailed in references/commands.md) that allows the agent to run arbitrary JavaScript code within the browser context. While this is a core requirement for sophisticated web automation, it represents a high-privilege surface that could be exploited if the agent's logic is subverted by malicious site data.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 19, 2026, 02:15 AM
Security Audit — agent-trust-hub — agent-browser