autobrowse
Pass
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local Node.js scripts (
scripts/evaluate.mjs) that invoke thebrowseCLI tool for site navigation and automation. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted data from external websites (via execution traces and summaries) to update its automation strategies (
strategy.md). - Ingestion points: Browser activity and site content are recorded in
summary.mdandtrace.jsonfiles within the./autobrowse/traces/directory. - Boundary markers: The skill does not implement clear delimiters or instructions to ignore embedded commands within the processed trace data.
- Capability inventory: The agent possesses
Write,Edit, andBashcapabilities, which are used to modify project files and execute automation code. - Sanitization: Website content is processed without evident sanitization or validation before being used to inform strategy updates.
- [COMMAND_EXECUTION]: The skill includes a 'graduation' feature that programmatically writes new skill files to the user's home directory (
~/.claude/skills/), which could allow for the persistence of generated logic across different sessions.
Audit Metadata