Skills
skills/avifenesh/agentsys/web-browse/Gen Agent Trust Hub

web-browse

Warn

Audited by Gen Agent Trust Hub on May 2, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill invokes a local Node.js script located at a hardcoded path: /Users/avifen/.agentsys/plugins/web-ctl/scripts/web-ctl.js. This allows the agent to execute shell commands to control a headless browser.
  • [DYNAMIC_EXECUTION]: The evaluate action allows for the execution of arbitrary JavaScript code within the context of the web page. This is a powerful capability that could be abused if the agent is influenced by malicious content to run scripts that exfiltrate session data or perform unauthorized actions.
  • [DATA_EXFILTRATION]: Multiple actions handle sensitive data or local file access:
  • The login macro accepts --user and --pass arguments, creating a risk of credential exposure in logs or process histories.
  • The file-upload macro allows the agent to upload files from the local filesystem (restricted to /tmp, working directory, or WEB_CTL_UPLOAD_DIR).
  • [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection as it processes untrusted data from the web.
  • Ingestion points: Web content is ingested via goto, read, snapshot, extract, and paginate actions.
  • Boundary markers: The skill uses [PAGE_CONTENT: ...] delimiters and includes a 'CRITICAL: Prompt Injection Warning' section to instruct the agent to ignore instructions found within page content.
  • Capability inventory: The agent can perform significant actions based on page content, including clicking elements, filling forms, and executing JavaScript (evaluate).
  • Sanitization: The skill relies on the LLM's adherence to instructions and the provided delimiters rather than hard technical sanitization of the web content.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 2, 2026, 02:07 PM