browser-work
Pass
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Executes shell commands to initialize session directories in
~/.hoyeon/, generate session identifiers usingopenssl, and manage files usingcatand redirection. - [EXTERNAL_DOWNLOADS]: Utilizes
npxto download and execute the@team-attention/chromuxpackage if it is not found in the system path. This package is a resource associated with the skill author. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by ingesting untrusted data from external websites and using it to influence sub-agent behavior.
- Ingestion points: Captures website accessibility trees and text via
chromux snapshotinSKILL.md(Step 2). - Boundary markers: Site content is stored in a guide file and then interpolated directly into a sub-agent prompt without explicit boundary delimiters or instructions to ignore embedded commands.
- Capability inventory: The
browser-explorersub-agent has capabilities to click, fill forms, type, and navigate pages. - Sanitization: There is no visible sanitization or filtering of the ingested web content before it is provided to the sub-agent.
Audit Metadata