agent-browser
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill exposes the
agent-browserCLI tool through the Bash toolset, granting the agent broad control over system-level browser processes, including the ability to manipulate network routing, connect via CDP, and execute arbitrary JavaScript within the browser context using theevalcommand. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it is designed to ingest and process data from external, untrusted websites. * Ingestion points: Content enters the agent's context through
agent-browser snapshot,get text,get html, andconsolecommands inSKILL.md, which capture text and accessibility data from web pages. * Boundary markers: The documentation lacks instructions for using delimiters or boundary markers to distinguish between legitimate tool output and potential instructions embedded in web content. * Capability inventory: The agent possesses extensive capabilities, including shell command execution (agent-browser), file writing (screenshot,pdf,state save), and network access. * Sanitization: There is no mention of sanitization or filtering of the HTML/text content before it is processed by the LLM. - [DATA_EXFILTRATION]: The skill includes explicit commands for retrieving sensitive browser data, such as
cookies,storage local, and the ability to save the entire browser state (state save). While these are standard automation features, they represent a significant data exposure risk if the agent is manipulated into accessing or exfiltrating this data from a user's active session.
Audit Metadata