browser-automation

Pass

Audited by Gen Agent Trust Hub on Apr 16, 2026

Risk Level: SAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill relies on the installation and execution of the agent-browser CLI tool to perform web interactions.
  • [REMOTE_CODE_EXECUTION]: Features an eval command that allows the agent to execute arbitrary JavaScript code within the browser context, a standard capability for complex automation.
  • [DATA_EXFILTRATION]: Provides the ability to read local files via file:// URLs when the --allow-file-access flag is explicitly used. It can also access the system clipboard and extract text from web pages.
  • [PROMPT_INJECTION]: As a tool that processes external web content, it possesses an indirect prompt injection surface. The author provides documented mitigations including content boundaries and domain allowlisting.
  • Ingestion points: Web content retrieved via snapshot, get text, screenshot, and network request inspection.
  • Boundary markers: Opt-in AGENT_BROWSER_CONTENT_BOUNDARIES environment variable wraps page content in nonces to help the agent distinguish instructions.
  • Capability inventory: The tool allows for JavaScript execution (eval), interactive clicks/typing, and file creation (screenshot, pdf).
  • Sanitization: Supports AGENT_BROWSER_ALLOWED_DOMAINS to restrict navigation and AGENT_BROWSER_ACTION_POLICY to gate destructive actions.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 16, 2026, 05:39 PM
Security Audit — agent-trust-hub — browser-automation