agent-browser
Pass
Audited by Gen Agent Trust Hub on May 1, 2026
Risk Level: SAFEREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill provides an 'eval' command that allows the execution of arbitrary JavaScript within the browser. This is a core feature for complex web interactions but introduces a potential code execution path.
- Evidence: 'agent-browser eval' functionality described in SKILL.md and references/commands.md.
- [DATA_EXFILTRATION]: The skill can save and restore browser sessions, including cookies and localStorage, which may contain sensitive authentication tokens. It also supports local file access via an explicit flag.
- Evidence: 'agent-browser state save' and '--allow-file-access' features in SKILL.md and references/session-management.md.
- [PROMPT_INJECTION]: As a tool that processes external website data, it is inherently susceptible to indirect prompt injection from malicious content hosted on third-party domains.
- Ingestion points: 'agent-browser snapshot' and 'get text' (SKILL.md).
- Boundary markers: Support for 'AGENT_BROWSER_CONTENT_BOUNDARIES' is documented (SKILL.md).
- Capability inventory: Shell command execution (Bash), JavaScript eval, and file write operations (multiple files).
- Sanitization: Provides domain allowlisting and output limits to reduce attack surfaces (SKILL.md).
Audit Metadata