agent-browser

Pass

Audited by Gen Agent Trust Hub on Jun 22, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses the belt CLI tool, as specified in the allowed-tools section, to perform browser automation tasks such as opening sessions, interacting with elements, and closing browsers.
  • [EXTERNAL_DOWNLOADS]: The documentation references external installation scripts and resources from the inference-sh GitHub repository. These are utilized to set up the necessary environment for the belt CLI tool.
  • [PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection because it retrieves and processes content from external web pages via functions like open, snapshot, and execute. Malicious content on third-party websites could attempt to influence the agent's behavior.
  • Ingestion points: Content is ingested from the web through the open, snapshot, and execute functions described in SKILL.md and references/commands.md.
  • Boundary markers: No specific boundary markers or instruction-ignoring warnings are implemented to separate web-sourced data from agent instructions.
  • Capability inventory: The skill allows the agent to perform actions such as clicking elements, filling forms, and executing JavaScript, which could be exploited by injected instructions.
  • Sanitization: The skill does not appear to sanitize or filter the data retrieved from external web pages before providing it to the agent context.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 22, 2026, 04:47 PM