agent-browser
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill contains templates for extracting text and structure from arbitrary web pages. \n
- Ingestion points:
agent-browser get text bodyincapture-workflow.shandagent-browser snapshot -iin various templates.\n - Boundary markers: Absent in extraction templates.\n
- Capability inventory: Full browser control via
agent-browser(navigation, form submission, session management).\n - Sanitization: Absent; extracted text is saved directly to files without filtering.\n- [Data Exposure] (LOW): The templates manage sensitive authentication state (cookies and session tokens) via local files. \n
- Evidence:
templates/authenticated-session.shsaves session data toauth-state.json. While thereferences/authentication.mddocumentation correctly advises users to use.gitignoreand environment variables, the default template behavior stores secrets on the local filesystem.
Audit Metadata