agent-browser
Fail
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The SKILL.md file contains instructions to install a CLI tool using a high-risk pattern:
curl -fsSL https://cli.inference.sh | sh. This executes a remote script from an untrusted source directly in the user's shell environment. - [EXTERNAL_DOWNLOADS] (HIGH): The skill relies on external software from an unverified domain (inference.sh) which is not part of the trusted organization or repository list.
- [CREDENTIALS_UNSAFE] (MEDIUM): Multiple files, including
templates/authenticated-session.shandreferences/authentication.md, provide templates for handling sensitive information such as passwords, 2FA tokens, and OAuth secrets. These workflows increase the risk of credential exposure if environment variables or session logs are mishandled. - [DATA_EXFILTRATION] (MEDIUM): The skill documentation explicitly demonstrates how to extract sensitive session data, such as cookies, using the
executefunction to run JavaScript. This capability can be abused to exfiltrate private user information to attacker-controlled domains. - [COMMAND_EXECUTION] (LOW): The skill uses the
Bashprovider to run theinfshcommand-line tool, allowing the agent to perform actions on the local system via CLI calls. - [PROMPT_INJECTION] (LOW): The skill is highly susceptible to indirect prompt injection because it ingests arbitrary content from the web and provides powerful automation tools to act on that content.
- Ingestion points: Functions like
open,snapshot, andexecutepull data from external websites into the agent's context. - Boundary markers: None detected; there are no instructions for the agent to distinguish between system prompts and instructions found within web content.
- Capability inventory: The skill can perform clicks, type text, navigate URLs, and execute arbitrary JavaScript.
- Sanitization: No evidence of input sanitization or validation of web content before it is processed by the agent.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata