browser
Pass
Audited by Gen Agent Trust Hub on Apr 20, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies extensively on executing the
agent-browserbinary via the shell. This includes passing user-provided URLs and arbitrary JavaScript code for evaluation within the browser context. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it ingests and processes untrusted data from the open web.
- Ingestion points: Web page content is brought into the agent's context through
agent-browser snapshot(accessibility tree),agent-browser console(log messages), andagent-browser network requests(API payloads and headers). - Boundary markers: The instructions do not define clear delimiters or warnings to the agent to ignore instructions embedded within the processed web data.
- Capability inventory: The agent has significant capabilities that could be abused if it follows malicious instructions from a website, including
eval(JavaScript execution),fill(data entry),click(interaction), andupload(file system access). - Sanitization: No explicit sanitization or validation of the data retrieved from the browser is performed before it is presented to the agent.
Audit Metadata