agent-browser
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest and process untrusted data from arbitrary web pages via
agent-browser open,snapshot, andget text. It lacks explicit boundary markers or sanitization logic. Because the skill possesses high-privilege capabilities such as JavaScript execution (eval), form interaction (fill/click), and file uploads, an attacker-controlled website could potentially seize control of the agent's session. - Ingestion Points:
agent-browser open <url>,agent-browser snapshot,agent-browser get text. - Capability Inventory:
eval,cookies,storage local,upload,network route,fill,click. - Boundary Markers: None identified in
SKILL.md. - Sanitization: None identified.
- Data Exposure & Exfiltration (HIGH): Several commands provide direct access to sensitive session data which could be exfiltrated if the agent is compromised by a malicious site.
- Evidence:
agent-browser cookies(extracts session tokens),agent-browser storage local(accesses application data), andagent-browser state save auth.json(persists authentication state to disk). - Dynamic Execution (MEDIUM): The
agent-browser evalcommand allows for the execution of arbitrary JavaScript within the context of the loaded web page. This can be used to bypass UI-based restrictions or programmatically extract data not visible in the accessibility tree. - Command Execution (LOW): The skill relies on the
Bash(agent-browser:*)tool. While the usage examples appear standard for a browser automation CLI, the underlying binary's provenance is not established in the markdown file.
Recommendations
- AI detected serious security threats
Audit Metadata