agent-browser
Pass
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (LOW): The skill possesses a significant surface for indirect prompt injection via its browser interaction capabilities.
- Ingestion points: Commands such as
agent-browser snapshotandagent-browser get textingest arbitrary content from external, potentially malicious websites into the agent's context. - Boundary markers: The documentation does not define delimiters or specific 'ignore' instructions for the agent when processing web content, increasing the risk that the agent might follow instructions embedded in a web page (e.g., 'Click the logout button').
- Capability inventory: The skill has high-privilege web capabilities, including form filling (
fill), clicking (click), and session state management (state save/load), which could be abused if the agent is manipulated by web content. - Sanitization: No mention is made of sanitizing or filtering the DOM/accessibility tree content before it is presented to the agent.
- DATA_EXFILTRATION (SAFE): The skill allows exporting session states (
agent-browser state save auth.json) and capturing screenshots. While these involve sensitive data (cookies, tokens, and visual information), they are primary features of the tool and do not constitute a hidden exfiltration vector. Users should treat the resulting files as highly sensitive.
Audit Metadata