agent-browser
Pass
Audited by Gen Agent Trust Hub on Jun 22, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the
beltCLI tool, as specified in theallowed-toolssection, to perform browser automation tasks such as opening sessions, interacting with elements, and closing browsers. - [EXTERNAL_DOWNLOADS]: The documentation references external installation scripts and resources from the
inference-shGitHub repository. These are utilized to set up the necessary environment for thebeltCLI tool. - [PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection because it retrieves and processes content from external web pages via functions like
open,snapshot, andexecute. Malicious content on third-party websites could attempt to influence the agent's behavior. - Ingestion points: Content is ingested from the web through the
open,snapshot, andexecutefunctions described inSKILL.mdandreferences/commands.md. - Boundary markers: No specific boundary markers or instruction-ignoring warnings are implemented to separate web-sourced data from agent instructions.
- Capability inventory: The skill allows the agent to perform actions such as clicking elements, filling forms, and executing JavaScript, which could be exploited by injected instructions.
- Sanitization: The skill does not appear to sanitize or filter the data retrieved from external web pages before providing it to the agent context.
Audit Metadata