browser-automation
Pass
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: SAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on the installation and execution of the
agent-browserCLI tool to perform web interactions. - [REMOTE_CODE_EXECUTION]: Features an
evalcommand that allows the agent to execute arbitrary JavaScript code within the browser context, a standard capability for complex automation. - [DATA_EXFILTRATION]: Provides the ability to read local files via
file://URLs when the--allow-file-accessflag is explicitly used. It can also access the system clipboard and extract text from web pages. - [PROMPT_INJECTION]: As a tool that processes external web content, it possesses an indirect prompt injection surface. The author provides documented mitigations including content boundaries and domain allowlisting.
- Ingestion points: Web content retrieved via
snapshot,get text,screenshot, and network request inspection. - Boundary markers: Opt-in
AGENT_BROWSER_CONTENT_BOUNDARIESenvironment variable wraps page content in nonces to help the agent distinguish instructions. - Capability inventory: The tool allows for JavaScript execution (
eval), interactive clicks/typing, and file creation (screenshot,pdf). - Sanitization: Supports
AGENT_BROWSER_ALLOWED_DOMAINSto restrict navigation andAGENT_BROWSER_ACTION_POLICYto gate destructive actions.
Audit Metadata