agent-browser
Pass
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- Execution of JavaScript in Browser Context: The
evalcommand allows the agent to execute JavaScript code directly within the browser's environment. While this is a standard feature for advanced automation and data extraction, it involves the dynamic execution of scripts in the browser sandbox. - Authentication and Session State Management: The skill supports saving and loading browser state (e.g.,
state save auth.json). This process involves handling sensitive session data like cookies and local storage to maintain authenticated sessions across tasks. - External Data Processing and Interaction: The skill is designed to interact with and extract information from external websites, which introduces a surface for indirect prompt injection.
- Ingestion points: External web content is ingested via
agent-browser open <url>,snapshot -i, andget text(SKILL.md). - Boundary markers: The skill does not define specific delimiters or warnings to ignore instructions that might be embedded in web pages (SKILL.md).
- Capability inventory: The tool possesses high-interaction capabilities, including
click,fill,eval,state save, andpress(SKILL.md). - Sanitization: There is no mention of sanitizing or filtering external content before it is processed by the agent (SKILL.md).
- File System Operations: The skill performs file writes to store automation artifacts, such as screenshots, PDFs, and extracted page text. These operations facilitate debugging and reporting of the automation tasks.
Audit Metadata