agent-browser
Warn
Audited by Gen Agent Trust Hub on May 11, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill operates by executing the
agent-browserCLI tool with various arguments, providing a powerful interface for system interaction. - [REMOTE_CODE_EXECUTION]: The
agent-browser evalcommand allows for arbitrary JavaScript execution within the browser's context. This capability can be leveraged to perform complex, unmonitored actions on web pages. - [CREDENTIALS_UNSAFE]: The
agent-browser set credentialscommand accepts and processes HTTP basic authentication credentials in plaintext, creating a risk of credential exposure in command logs or process lists. - [DATA_EXFILTRATION]: The skill facilitates the extraction of sensitive data through commands like
agent-browser cookiesandagent-browser storage local, which can be used to harvest authentication tokens and session data. - [EXTERNAL_DOWNLOADS]: Capabilities such as
agent-browser screenshot,agent-browser pdf, andagent-browser state saveallow the agent to write data and page snapshots to the local filesystem. - [PROMPT_INJECTION]: The skill's primary function of reading web content introduces a significant indirect prompt injection surface. The agent is instructed to interpret page content returned by
snapshotandgetcommands, which may contain malicious instructions. - Ingestion points: Untrusted data from web pages via
agent-browser snapshot,get text, andget html(SKILL.md). - Boundary markers: Absent. The agent is expected to interpret raw tool output containing potentially adversarial content.
- Capability inventory: Subprocess execution (
agent-browser), arbitrary JS execution (eval), and file system writes (screenshot,pdf,state save) across the skill. - Sanitization: Absent. There is no mention of filtering or escaping external content before the agent processes it.
Audit Metadata