agent-browser
Warn
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [DATA_EXFILTRATION]: The skill documents the
--allow-file-accessflag, which enables the browser to read sensitive files from the local filesystem usingfile://URLs. - Evidence: Found in SKILL.md and references/commands.md which describe opening local files and PDFs via this flag.
- [REMOTE_CODE_EXECUTION]: The skill supports executing arbitrary JavaScript at runtime, including support for Base64-encoded scripts which can be used to bypass static analysis of the logic being executed.
- Evidence: references/commands.md defines the
evalcommand with-b/--base64and--stdinoptions. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from external websites and uses it in the agent context without sanitization.
- Ingestion points: element text and page content extracted via
snapshotandget textin SKILL.md and templates/capture-workflow.sh. - Boundary markers: No delimiters or instructions to ignore embedded commands are present in the provided templates.
- Capability inventory: The skill can write files (templates/capture-workflow.sh), navigate the network, and execute browser interactions through the
agent-browsersubprocess. - Sanitization: No sanitization or validation of the extracted web content is performed before processing.
- [COMMAND_EXECUTION]: The skill relies on executing a series of CLI commands for browser control and automation.
- Evidence: SKILL.md and references/commands.md provide an extensive list of browser interaction commands.
Audit Metadata