agent-browser
Warn
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATION
Full Analysis
- Obfuscation (MEDIUM): The
agent-browser eval -bcommand explicitly supports executing Base64-encoded JavaScript. While documented as a convenience for shell escaping, this feature can be used to hide malicious payloads from simple pattern-based security filters. - Evidence: Found in
references/commands.md:agent-browser eval -b "ZG9jdW1lbnQucXVlcnlTZWxlY3RvcignW3NyYyo9Il9uZXh0Il0nKQ==". - Dynamic Execution (MEDIUM): The skill provides multiple interfaces (
eval,eval -b, andeval --stdin) for executing arbitrary JavaScript within the browser context. This allows for dynamic code execution that could be exploited if the agent is directed to untrusted sites. - Evidence: Documented across
SKILL.mdandreferences/commands.md. - Data Exposure & Exfiltration (MEDIUM): The
state saveandstate loadcommands handle sensitive browser session data, including cookies and local storage. If an agent is tricked into uploading these generated files (e.g.,auth-state.json), full session hijacking could occur. - Evidence: Featured in
templates/authenticated-session.shandreferences/session-management.md. - Indirect Prompt Injection (LOW): The skill is designed to navigate the public web and extract text content, which is a major vector for indirect prompt injection where malicious websites provide instructions to the agent.
- Ingestion points:
agent-browser open,agent-browser snapshot, andagent-browser get textinSKILL.mdandtemplates/capture-workflow.sh. - Boundary markers: None implemented; untrusted web content is passed directly to the agent's context.
- Capability inventory: The skill has broad capabilities including browser control, JavaScript execution, and file system writes (
screenshot,pdf,state save). - Sanitization: No evidence of content sanitization or filtering is present in the provided logic.
Audit Metadata