Agent Browser
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- DATA_EXFILTRATION (HIGH): The skill documentation explicitly instructs the agent on how to access sensitive browser data by pointing to a specific local path:
/home/willr/.config/google-chrome/Default. Accessing a user's Chrome profile directory allows the agent (and potentially malicious instructions it encounters) to access session cookies, browser history, and saved credentials. - REMOTE_CODE_EXECUTION (HIGH): The skill includes an
eval <js>command which allows for the dynamic execution of arbitrary JavaScript within the browser context. This can be abused to perform actions on behalf of the user or to extract data from the page DOM that isn't normally exposed. - EXTERNAL_DOWNLOADS (LOW): The skill identifies dependencies on
agent-browservia npm and GitHub. While these are hosted on trusted platforms (Vercel), downloading and executing external binaries is a prerequisite for the skill's operation. - INDIRECT PROMPT INJECTION (LOW): As a browser automation tool, the skill is a primary target for Category 8 attacks.
- Ingestion points: Any webpage navigated to via
agent-browser open. - Boundary markers: None identified in the provided documentation or command structure.
- Capability inventory: Full browser control including
click,fill, andevalwhich can be used to interact with sensitive web applications (OAuth, banking, etc.). - Sanitization: None. The agent directly processes the DOM/snapshot of the untrusted external page.
Recommendations
- AI detected serious security threats
Audit Metadata