agent-browser
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest and process untrusted data from external websites via accessibility snapshots and scraping. It possesses high-risk capabilities including the ability to click elements, fill forms, and navigate to arbitrary URLs. A malicious website could embed hidden instructions to hijack the agent's session, perform unauthorized actions on other sites (if authenticated), or exfiltrate information via URL parameters.
- External Dependency (MEDIUM): The skill requires the installation of the
agent-browserpackage from NPM. This is an unverifiable third-party dependency from an unvetted author ('linuxlewis'). A compromised or malicious version of this package could execute arbitrary code on the host system or monitor browser traffic. - Data Exposure (MEDIUM): The skill's ability to take screenshots and save PDFs allows for the capture of sensitive information displayed in the browser. If the agent is used to access private accounts, this functionality could be used to exfiltrate PII or session data.
- Command Execution (LOW): The skill operates by executing CLI commands on the host. While these are localized to the
agent-browsertool, any vulnerability in the CLI's argument parsing could lead to broader command injection.
Recommendations
- AI detected serious security threats
Audit Metadata