agent-browser
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill performs browser interactions by executing commands through a custom Bash CLI tool called 'agent-browser'.
- [PROMPT_INJECTION]: The skill is inherently vulnerable to indirect prompt injection as it navigates to and extracts data from untrusted external websites.
- Ingestion points: Untrusted web content enters the agent context through the
open,snapshot, andgetcommands defined in SKILL.md. - Boundary markers: There are no markers or specific instructions implemented to distinguish between web data and agent instructions.
- Capability inventory: The skill possesses extensive capabilities including form filling, cookie manipulation, and JavaScript execution, which could be abused if an injection occurs.
- Sanitization: No evidence of content sanitization or filtering is present for the data retrieved from the web.
- [REMOTE_CODE_EXECUTION]: The command
agent-browser evalallows for the execution of arbitrary JavaScript code within the browser context. This is a powerful feature that poses a risk if the agent is directed to execute scripts derived from untrusted inputs. - [DATA_EXFILTRATION]: The tool includes capabilities to read and save sensitive browser data, such as
cookiesandstorage local, as well as saving the entire session state to a file (state save). These features, while standard for the use case, could be used to extract authentication tokens if the agent is compromised.
Audit Metadata