agent-browser
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- Indirect Prompt Injection (LOW): The skill is designed to ingest untrusted data from arbitrary websites via 'open', 'snapshot', and 'get' commands.\n
- Ingestion points: Commands like
agent-browser open <url>andagent-browser snapshotbring external data into the agent's context.\n - Boundary markers: There are no explicit instructions or delimiters defined to help the agent distinguish between tool instructions and content found on a page.\n
- Capability inventory: The agent has access to powerful browser commands, including script execution and file uploads, which could be abused if an external site successfully injects instructions.\n
- Sanitization: No evidence of sanitization or content filtering is present in the skill definition.\n- Data Exposure & Exfiltration (LOW): The tool provides mechanisms to access sensitive browser and local data.\n
- Evidence:
agent-browser cookiesandagent-browser storage localallow for the extraction of authentication tokens and session state.\n - Evidence:
agent-browser upload @e1 file.pdfenables the reading and uploading of local files to web elements.\n- Remote Code Execution (LOW): The skill allows running arbitrary JavaScript in the browser environment.\n - Evidence:
agent-browser eval "document.title"provides a direct interface for executing JS, which poses a risk if the agent is coerced into running attacker-controlled code.\n- Credential Handling (LOW): The skill manages authentication secrets.\n - Evidence:
agent-browser set credentials user passandagent-browser state save auth.jsoninvolve the direct handling and persistence of sensitive user credentials and session files.
Audit Metadata