web-browse
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFE
Full Analysis
- [PROMPT_INJECTION]: The skill is designed to ingest and process untrusted data from external websites, which creates an inherent surface for indirect prompt injection.
- Ingestion points: Untrusted content is retrieved from web pages through the
goto,read,snapshot,extract, andevaluateactions. - Boundary markers: The skill implements a
[PAGE_CONTENT: ...]delimiter to encapsulate retrieved data and provides a prominent 'CRITICAL' warning instruction to the agent to ignore any commands found within page content. - Capability inventory: The skill provides significant browser interaction capabilities, including element clicking, text typing, form filling, file uploading, and arbitrary JavaScript execution via
evaluate. - Sanitization: While no automated content sanitization (like HTML stripping) is mentioned, the skill relies on instructional guardrails and explicit delimiters to prevent the agent from obeying embedded commands.
- [COMMAND_EXECUTION]: The skill operates by executing a local Node.js script located at
/Users/avifen/.agentsys/plugins/web-ctl/scripts/web-ctl.js. This is the intended execution model for the browser control plugin. - [DATA_EXFILTRATION]: Browser automation allows the agent to navigate to arbitrary URLs and submit data via forms or network requests. This functionality, while necessary for the skill's purpose, could be leveraged to send information to external servers.
- [CREDENTIALS_UNSAFE]: The
loginmacro facilitates automated authentication by accepting username and password strings as command-line arguments. This pattern involves the agent handling sensitive credentials which are then processed by the local browser controller script.
Audit Metadata