agent-browser
Pass
Audited by Gen Agent Trust Hub on Apr 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill operates by executing the
agent-browserCLI to perform automation tasks. This includes file system operations like saving screenshots (.png) and PDF reports. - [REMOTE_CODE_EXECUTION]: The CLI includes an
evalcommand that allows the execution of JavaScript within the browser context. The documentation provides a pattern for usingeval --stdinto handle complex payloads safely without shell escaping issues. - [DATA_EXFILTRATION]: The skill enables network operations via browser navigation and the ability to save/load browser session states (e.g.,
auth.json), which may contain sensitive cookies or credentials. - [PROMPT_INJECTION]: Because the skill ingests content from external websites (via
snapshotandget text), it is a surface for indirect prompt injection. - Ingestion points:
agent-browser snapshot -i,agent-browser get text(SKILL.md, references/commands.md) - Boundary markers: Documentation explicitly suggests using
AGENT_BROWSER_CONTENT_BOUNDARIES=1to wrap ingested content (SKILL.md) - Capability inventory: Subprocess execution (agent-browser), file-write (screenshot, state save), network access (open)
- Sanitization: Recommends the use of
AGENT_BROWSER_ACTION_POLICYto restrict high-risk commands likeevalordownload(SKILL.md) - [EXTERNAL_DOWNLOADS]: The skill references configuration and documentation from Vercel Labs' official GitHub repository and established website (agent-browser.dev).
Audit Metadata