agent-browser
Warn
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill provides commands to access and extract sensitive browser data. Commands like 'agent-browser cookies' and 'agent-browser storage local' retrieve session tokens and private data. The 'agent-browser state save' command persists this data to the filesystem, and 'agent-browser screenshot' can exfiltrate visual information via stdout.
- [COMMAND_EXECUTION]: The skill includes capabilities for arbitrary script execution and network control. The 'agent-browser eval' command executes JavaScript within the loaded page context. The 'agent-browser network route' functionality allows for the interception and modification of network traffic, which could be used to inject malicious payloads or hijack sessions.
- [PROMPT_INJECTION]: The skill exhibits a high surface area for indirect prompt injection due to its interaction with external web content. Ingestion points: Untrusted data enters the agent's context through 'agent-browser open' and 'agent-browser snapshot' commands. Boundary markers: There are no instructions or delimiters to isolate web content from the agent's core logic. Capability inventory: The skill possesses high-impact tools including JavaScript execution ('eval'), cookie access, and network interception. Sanitization: No mechanisms are described to sanitize or validate content extracted from web pages before the agent processes it.
Audit Metadata