agent-browser
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The installation instructions require
npm install -g agent-browserandagent-browser install. This fetches a package and a Chromium binary from untrusted/unverifiable sources (author 'bentossell'), posing a supply chain risk. - **PROMPT_INJECTION
- Category 8 (HIGH):** This skill is a primary vector for Indirect Prompt Injection.
- Ingestion points: Data enters the agent context via
agent-browser snapshot,get text, andget htmlfrom any URL opened. - Boundary markers: None identified; untrusted web content is processed as raw text/HTML.
- Capability inventory: The skill has access to the
bashandcomputertools, and includes anevalcommand for arbitrary JavaScript execution. - Sanitization: No sanitization or filtering of web content is documented.
- Risk: An attacker-controlled website could contain malicious instructions that the agent reads and subsequently executes via the
bashtool orevalcommand. - REMOTE_CODE_EXECUTION (HIGH): The
agent-browser evalcommand allows the execution of arbitrary JavaScript within the browser context. If the input for this command is derived from untrusted web content (e.g., via a snapshot), it can lead to cross-site scripting (XSS) or further exploitation if the agent leaks local data. - COMMAND_EXECUTION (HIGH): The skill requires the
bashandcomputertools. These allow for full system control. When combined with the browser's ability to read external data, this creates a high-risk execution environment. - CREDENTIALS_UNSAFE (MEDIUM): The commands
state save auth.jsonandstate load auth.jsonhandle sensitive session cookies and authentication tokens. If used in shared or poorly secured environments, these files could be targeted for credential theft.
Recommendations
- AI detected serious security threats
Audit Metadata