browser-agent
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is designed to process and act upon untrusted web content, creating a significant Indirect Prompt Injection surface (Category 8). \n
- Ingestion points: Web content is ingested via
agent-browserandbrowser-use(e.g., inSKILL.mdandreferences/agent-browser-reference.md). \n - Boundary markers: There are no boundary markers or instructions to ignore embedded commands in the web data described in the documentation. \n
- Capability inventory: The agent can navigate, click, input text, and take screenshots, allowing for full browser interaction. \n
- Sanitization: No sanitization of web content is performed before it reaches the AI logic. \n
- Risk: A malicious site could take control of the browser session to perform actions on other websites where the user might be logged in. \n- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill instructs the user to install third-party packages from NPM and PyPI that are not in the trusted source list. \n
- Evidence:
npm install -g actionbook,npm install -g agent-browser, andpip install browser-useare required for functionality. \n - Binaries: Requires
playwright install, which downloads large browser binaries from remote servers. \n- [COMMAND_EXECUTION] (MEDIUM): Uses CLI tools to perform browser operations, which involves executing system commands with potentially untrusted URL arguments provided at runtime.
Recommendations
- AI detected serious security threats
Audit Metadata