agent-browser
Warn
Audited by Gen Agent Trust Hub on Mar 21, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
agent-browser evalandagent-browser wait --fncommands allow the execution of arbitrary JavaScript code within the browser context. This capability can be abused if the agent is directed to run code derived from untrusted web content. - [DATA_EXFILTRATION]: The skill provides commands to access and persist sensitive information.
agent-browser cookiesretrieves session cookies, andagent-browser state savewrites cookies, local storage, and other session metadata to local files. Additionally,agent-browser screenshotandagent-browser pdfcan write page content to the file system. - [EXTERNAL_DOWNLOADS]: The skill supports the use of custom browser executables via the
--executable-pathflag and the loading of arbitrary browser extensions via the--extensionflag. These could be used to modify browser behavior or execute untrusted code if misconfigured by the user or an attacker. - [PROMPT_INJECTION]: The skill facilitates the ingestion of untrusted data from the internet via
snapshot,get text, andget htmlcommands. This content is provided to the agent's context without explicit boundary markers or sanitization. The skill possesses high-privilege capabilities including file writing (screenshots, state saving), network configuration (proxies, routing), and code execution (eval), and does not implement sanitization for the external content before presenting it to the agent, creating a clear surface for indirect prompt injection attacks.
Audit Metadata