steel-browser
Fail
Audited by Gen Agent Trust Hub on Apr 24, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads the official Steel CLI installer from 'https://setup.steel.dev/install.sh'. This is a necessary step for the skill's primary functionality and originates from the vendor's own infrastructure.
- [REMOTE_CODE_EXECUTION]: The skill executes a shell script downloaded from 'setup.steel.dev' by piping it directly to 'sh'. This is used to automate the installation of the Steel CLI. Additionally, the 'steel browser eval' command allows the agent to execute arbitrary JavaScript in the context of a remote browser session.
- [COMMAND_EXECUTION]: The skill relies on the 'Bash' tool to execute 'steel' CLI commands. This capability is restricted to the 'steel' binary prefix as defined in the skill's 'allowed-tools' metadata, which provides a layer of protection against general command injection.
- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface because it retrieves and processes content from external web pages that could contain malicious instructions designed to influence the agent's behavior.
- Ingestion points: Web content retrieved via 'steel scrape' and accessibility trees from 'steel browser snapshot' (SKILL.md).
- Boundary markers: Absent; there are no specific instructions or delimiters used to ensure the agent treats the scraped content strictly as data rather than instructions.
- Capability inventory: The agent has access to 'Bash(steel:*)' for CLI operations and 'steel browser eval' for executing code in the browser (SKILL.md).
- Sanitization: Absent; the skill does not perform any filtering or sanitization on the content extracted from external URLs before it is processed by the agent.
Recommendations
- HIGH: Downloads and executes remote code from: https://setup.steel.dev/install.sh - DO NOT USE without thorough review
Audit Metadata