cmux-browser
Warn
Audited by Gen Agent Trust Hub on Jun 20, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's primary function is to wrap and execute shell commands for the cmux CLI tool to perform browser automation tasks.
- [CREDENTIALS_UNSAFE]: The skill provides commands such as 'state save', 'state load', and 'cookies set' to manage authentication data. While it documents best practices, the ability to save unencrypted session tokens and cookies to the local filesystem poses a risk of credential exposure if those files are accessed by unauthorized processes or users.
- [REMOTE_CODE_EXECUTION]: The skill exposes powerful commands such as 'eval', 'addscript', and 'addinitscript' which allow for the execution of arbitrary JavaScript within the browser's context. If the agent is influenced by malicious input to execute harmful scripts, it could lead to data exfiltration or session hijacking.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it is designed to ingest and process data from external, untrusted websites.
- Ingestion points: Data enters the context via 'snapshot', 'get text body', 'get html body', and 'get url' commands used in SKILL.md and references/commands.md.
- Boundary markers: There are no explicit instructions or markers provided to the agent to treat website content as untrusted or to ignore embedded instructions.
- Capability inventory: The skill has extensive capabilities including file system writes ('state save' in references/authentication.md), network interaction (browser navigation), and dynamic code execution ('eval' in references/commands.md).
- Sanitization: No evidence of sanitization or filtering of the content retrieved from websites before it is processed by the agent.
Audit Metadata