agent-browser
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill relies on the
agent-browserCLI. The provided metadata references (https://github.com/AnsarUllahAnasZ360/cc-guideandhttps://agent-browser.dev) are not associated with any Trusted Organizations. Use of tools from unverified sources increases the risk of supply chain attacks. - COMMAND_EXECUTION (MEDIUM): The
agent-browser evalcommand allows the agent to execute arbitrary JavaScript within the browser context. While a standard feature for automation, it presents a risk if the agent is manipulated into executing code that targets the user's active sessions or local environment. - CREDENTIALS_UNSAFE (MEDIUM): The documentation explicitly demonstrates retrieving sensitive data via
agent-browser eval "localStorage.getItem('token')". This pattern encourages the extraction of session credentials, which could be easily exfiltrated if combined with network tools. - PROMPT_INJECTION (LOW): The skill is highly vulnerable to indirect prompt injection from malicious web content.
- Ingestion points:
agent-browser open,agent-browser snapshot, andagent-browser get textallow untrusted data from external websites into the agent's context. - Boundary markers: Absent. There are no instructions or delimiters to help the agent distinguish between its own instructions and the content retrieved from the web.
- Capability inventory: The skill possesses
Bashtool access, browserevalcapabilities, and network routing control (agent-browser network route). - Sanitization: Absent. The skill does not perform any validation or filtering on the data scraped from web pages before the agent processes it.
Audit Metadata