web-browser
Warn
Audited by Gen Agent Trust Hub on Apr 30, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
scripts/start.jsscript usesexecSyncto executersyncfor copying the browser profile andmkdir/rmfor environment setup. It also usesspawnto launch the browser process and the background logging scriptscripts/watch.js. - [CREDENTIALS_UNSAFE]: The
scripts/start.jsscript includes a--profileoption that copies the user's local Google Chrome profile directory (~/Library/Application Support/Google/Chrome/) to a cache directory. This profile contains highly sensitive data, including session cookies, saved login credentials, and history. - [DATA_EXFILTRATION]: The
scripts/watch.jsscript continuously records all network request and response metadata, console logs, and exceptions into JSONL files at~/.cache/agent-web/logs. This creates a large local repository of potentially sensitive information that could be targeted for exfiltration. - [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection. It enables the agent to navigate to untrusted websites and retrieve content through
scripts/eval.jsandscripts/pick.js. There are no boundary markers or sanitization mechanisms to prevent malicious web content from influencing the agent's behavior. - Ingestion points: Browser content accessed via
scripts/eval.js,scripts/nav.js, andscripts/pick.js. - Boundary markers: None; content from the web is processed directly by the agent.
- Capability inventory: The skill can execute shell commands (
start.js), run arbitrary JavaScript in the browser (eval.js), and perform file system writes (logging and screenshots). - Sanitization: None; the skill provides raw access to browser execution and data.
Audit Metadata