agent-browser
Warn
Audited by Gen Agent Trust Hub on May 27, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill in SKILL.md directs the agent to download the
agent-browserpackage and fetch additional instruction sets (skills) from remote sources at runtime usingagent-browser skills get. - [COMMAND_EXECUTION]: SKILL.md requires the agent to perform global installation of a Node.js package and execute various CLI commands to automate browsers and desktop applications.
- [REMOTE_CODE_EXECUTION]: The mechanism to fetch 'skills' via the CLI in SKILL.md acts as dynamic instruction loading, where the agent's logic is updated from an external source after the initial audit of the skill file.
- [DATA_EXFILTRATION]: The skill is designed to automate sensitive applications like Slack, Discord, and VS Code, and utilizes an 'authentication vault' for session data, creating a risk surface for handling and potential exposure of sensitive user credentials and private information.
- [PROMPT_INJECTION]: As an automation tool for arbitrary web content (Ingestion points: accessibility trees/web content in SKILL.md), the agent processes untrusted data without specified sanitization or boundary markers, while possessing high-impact capabilities (Capability inventory: form filling, messaging) that can be exploited via indirect prompt injection.
Audit Metadata