Agent Browser
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill includes 'eval' and 'wait --fn' commands that allow the execution of arbitrary JavaScript within the browser context. This is a standard automation feature but represents a risk if the agent processes malicious input.
- [EXTERNAL_DOWNLOADS]: The skill fetches the 'agent-browser' package from NPM and references its source code on Vercel's GitHub repository. Vercel is a well-known and trusted service.
- [DATA_EXFILTRATION]: Commands such as 'cookies', 'storage local', and 'state save' allow the agent to extract and save sensitive session data, including cookies and authentication tokens.
- [PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection. * Ingestion points: Content is retrieved from external websites using 'snapshot' and 'get' commands in SKILL.md. * Boundary markers: There are no explicit instructions or delimiters used to separate untrusted web content from agent instructions. * Capability inventory: The agent has the ability to execute shell commands via 'Bash', write files, and perform network requests. * Sanitization: No evidence of sanitization or validation of the retrieved web content is provided.
- [COMMAND_EXECUTION]: The skill uses the 'Bash' tool to execute 'agent-browser' CLI commands for all browser interactions.
Audit Metadata