agent-browser
Pass
Audited by Gen Agent Trust Hub on May 8, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires installing a global NPM package
agent-browserand mentions integrating with external services like AWS Bedrock and Vercel Sandbox. - [REMOTE_CODE_EXECUTION]: Instructions are loaded dynamically at runtime using the
agent-browser skills get corecommand, which fetches workflows from an external CLI service. - [COMMAND_EXECUTION]: Provides tools to programmatically control browsers and desktop applications (Slack, VS Code, Figma) via bash commands.
- [DATA_EXFILTRATION]: The skill accesses sensitive data sources such as Slack workspaces and Electron app data, and manages an 'authentication vault' for session persistence.
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface identified. The skill's core function is to process untrusted data from the web.
- Ingestion points: External websites, DOM trees, and accessibility snapshots.
- Boundary markers: None identified in the provided stub.
- Capability inventory: Execution of system commands, interaction with authenticated sessions, and data scraping.
- Sanitization: No sanitization mechanisms are described for handling untrusted input.
Audit Metadata