browser-guide
Warn
Audited by Gen Agent Trust Hub on Apr 25, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill explicitly directs the agent to ask the user for plain-text credentials, including usernames and passwords, if they are not already saved in the browser. Handling raw credentials within a chat session exposes sensitive secrets to the agent's context and conversation history.
- [CREDENTIALS_UNSAFE]: The skill instructs the agent to solicit phone numbers and SMS verification codes (One-Time Passwords) from the user to bypass login walls. Soliciting and processing multi-factor authentication codes in a chat environment is a significant security risk.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it interacts with untrusted external web content without implementing safeguards.
- Ingestion points: The skill uses the browser tool to read and interact with various web pages, including login walls and lazy-loaded content.
- Boundary markers: There are no instructions or delimiters (like XML tags or specific 'ignore' directives) to prevent the agent from following instructions that might be embedded maliciously within the HTML or snapshots of the web pages.
- Capability inventory: The agent has the ability to navigate URLs, interact with form fields, take snapshots, and save files to the local filesystem (e.g., /tmp/).
- Sanitization: No sanitization or filtering logic is specified for the data retrieved from the browser before it is processed by the agent.
Audit Metadata