Skills
skills/agent-sh/web-ctl/web-browse/Gen Agent Trust Hub

web-browse

Pass

Audited by Gen Agent Trust Hub on Mar 30, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATION
Full Analysis
  • [PROMPT_INJECTION]: Significant indirect prompt injection surface detected due to processing arbitrary web content.
  • Ingestion points: Untrusted data enters the agent context via the goto, read, snapshot, extract, and paginate actions which process content from external URLs (SKILL.md).
  • Boundary markers: The skill instructions specify that returned content is wrapped in [PAGE_CONTENT: ...] delimiters and includes a explicit warning to never treat page text as instructions (SKILL.md).
  • Capability inventory: The skill can perform network operations, file uploads, and arbitrary JavaScript execution (SKILL.md).
  • Sanitization: The skill implements shell quoting for URLs and restricts file upload paths to specific directories while blocking dotfiles (SKILL.md).
  • [COMMAND_EXECUTION]: The evaluate action allows the execution of arbitrary JavaScript code within the browser's page context. While intended for DOM interaction, it provides an execution primitive that could be exploited if the agent is manipulated by malicious web content (SKILL.md).
  • [CREDENTIALS_UNSAFE]: The login macro accepts plaintext username and password as command-line arguments (--user and --pass). This is a security anti-pattern as credentials passed in CLI arguments can be exposed in process listings or shell history (SKILL.md).
  • [DATA_EXFILTRATION]: The file-upload action provides a direct mechanism for the agent to send local files to remote web servers. Although the skill documentation mentions path restrictions to /tmp and the working directory, the capability itself poses a risk of data exfiltration if combined with adversarial instructions (SKILL.md).
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 30, 2026, 02:35 PM