Skills
skills/aradotso/trending-skills/agent-browser-automation/Gen Agent Trust Hub

agent-browser-automation

Warn

Audited by Gen Agent Trust Hub on Mar 17, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill operates by executing the agent-browser CLI tool, which interacts with the local system to manage browser processes, file system paths for screenshots and PDFs, and system-level configurations.
  • [REMOTE_CODE_EXECUTION]: The skill exposes agent-browser eval and agent-browser eval -b commands. These allow for the execution of arbitrary JavaScript within the browser context. The -b flag specifically facilitates the execution of Base64-encoded scripts, which can be used to obfuscate malicious logic.
  • [EXTERNAL_DOWNLOADS]: The command agent-browser install is used to download the 'Chrome for Testing' binary from a remote source. While a standard requirement for this tool's functionality, it involves the retrieval and setup of unverified external executables on the host machine.
  • [DATA_EXFILTRATION]: The tool provides capabilities to access and extract sensitive data through commands like agent-browser cookies, agent-browser storage, and agent-browser state save. Additionally, agent-browser clipboard read allows the agent to access information from the system clipboard, which may contain sensitive user data.
  • [PROMPT_INJECTION]: The skill presents a high risk for indirect prompt injection due to its ability to process untrusted web content and its extensive system capabilities.
  • Ingestion points: SKILL.md describes methods to retrieve untrusted data via agent-browser snapshot (accessibility tree), agent-browser get text, agent-browser console, and agent-browser errors.
  • Boundary markers: No boundary markers or instructions to ignore embedded commands are defined in the skill documentation.
  • Capability inventory: The tool possesses high-impact capabilities including eval (JavaScript execution), upload (file uploads), network route (request interception/mocking), clipboard write, and state save (session data extraction).
  • Sanitization: The documentation does not specify any sanitization or filtering of the content retrieved from external websites before it is processed by the AI agent.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 17, 2026, 05:29 PM