Skills
skills/markus1189/nixos-config/agent-browser/Gen Agent Trust Hub

agent-browser

Fail

Audited by Gen Agent Trust Hub on Mar 29, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill instructs the agent to run the browser tool using nix run github:numtide/llm-agents.nix#agent-browser. This command downloads and executes code directly from a remote GitHub repository at runtime, which bypasses static security verification and allows the remote code to be modified by the repository owner without the user's consent.
  • [COMMAND_EXECUTION]: The eval and eval -b commands allow the execution of arbitrary JavaScript within the browser context. This can be used to bypass page-level security, access internal browser state, or perform actions that are not possible through standard DOM interactions.
  • [EXTERNAL_DOWNLOADS]: The skill relies on fetching its core executable from a remote source via Nix, creating a dependency on external infrastructure that is not part of the provided trusted vendor list.
  • [DATA_EXFILTRATION]: The skill provides capabilities to read sensitive browser data (cookies, localStorage, session state) and local system files (via the upload command and file:// protocols). When combined with the tool's networking capabilities, these features can be used to harvest and exfiltrate credentials or sensitive local data to remote servers.
  • [CREDENTIALS_UNSAFE]: The documentation suggests practices that may lead to credential exposure, such as hardcoding Authorization headers with Bearer tokens and storing sensitive session state or passwords in local files like ~/.auth/app.json. Although encryption is mentioned, these files become high-value targets for exfiltration.
  • [PROMPT_INJECTION]: As a tool designed to process and interact with untrusted web content, the skill is a primary target for indirect prompt injection. A malicious website could provide instructions within the page content that the agent might follow if boundaries are not strictly enforced.
  • [COMMAND_EXECUTION]: The -b flag in the eval command enables the execution of Base64-encoded JavaScript payloads. This is a common obfuscation technique used to hide malicious intent from security scanners and manual review.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 29, 2026, 07:14 AM