Skills
skills/andrelandgraf/fullstackrecipes/agent-browser/Gen Agent Trust Hub

agent-browser

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
  • [DATA_EXFILTRATION] (HIGH): The skill contains commands specifically designed to access and export sensitive session data. Specifically, agent-browser cookies and agent-browser storage local allow dumping session identifiers and local data, while agent-browser state save allows persisting full authentication states to local files. These can be abused to hijack user sessions.
  • [REMOTE_CODE_EXECUTION] (HIGH): The agent-browser eval command allows for the execution of arbitrary JavaScript code within the context of the current web page. This provides a mechanism to bypass security controls, manipulate the DOM in ways not exposed by other tools, or programmatically exfiltrate data.
  • [COMMAND_EXECUTION] (HIGH): The skill allows the execution of the agent-browser CLI via the Bash tool with a wildcard permission (agent-browser:*). This gives the agent full access to high-risk browser capabilities, including network interception (network route), file system writes (screenshot <path>, state save <path>), and environment manipulation.
  • [CREDENTIALS_UNSAFE] (MEDIUM): The agent-browser set credentials command allows for the programmatic setting of HTTP Basic Authentication credentials. While the example uses placeholders, the capability facilitates the handling of raw secrets in the command-line history or agent logs.
  • [PROMPT_INJECTION] (LOW): The skill is highly susceptible to Indirect Prompt Injection (Category 8) because its primary function is to ingest and process untrusted data from external websites.
  • Ingestion points: agent-browser snapshot, agent-browser get text, agent-browser get html, and agent-browser get attr all bring external content into the agent's context.
  • Boundary markers: None. The instructions do not provide guidance on how to distinguish between website content and agent instructions.
  • Capability inventory: The agent has access to highly privileged tools including eval, cookies, storage, and network management.
  • Sanitization: None detected. The agent is expected to read the DOM directly and act upon it, creating a direct path for a malicious website to provide instructions to the agent.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 17, 2026, 05:33 PM