agent-browser
Warn
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
- [REMOTE_CODE_EXECUTION]: The 'agent-browser eval' command allows the execution of arbitrary JavaScript within the browser context. This tool supports Base64 encoded scripts via the '-b' flag and multiline scripts via stdin, which can be used to execute obfuscated or complex code logic derived from untrusted sources.\n- [DATA_EXFILTRATION]: The skill supports an '--allow-file-access' flag that permits the browser to open local files using 'file://' URLs. If an agent is directed to a malicious page while this flag is active, it could lead to the exposure and exfiltration of sensitive local documents.\n- [COMMAND_EXECUTION]: The skill requires 'Bash' permissions to run the 'agent-browser' CLI and 'npx' commands, providing the agent with a broad execution surface on the host system.\n- [PROMPT_INJECTION]: The skill is highly vulnerable to Indirect Prompt Injection because its core function is to ingest and process data from external, untrusted websites.\n
- Ingestion points: Untrusted web data enters the agent context through 'agent-browser snapshot', 'agent-browser get text', and 'agent-browser screenshot --annotate' as documented in 'SKILL.md' and 'references/commands.md'.\n
- Boundary markers: Optional output markers can be enabled using 'AGENT_BROWSER_CONTENT_BOUNDARIES' (mentioned in 'SKILL.md'), but these are not enabled by default.\n
- Capability inventory: The agent can execute shell commands ('SKILL.md'), perform browser-side JavaScript execution ('references/commands.md'), read local files ('SKILL.md'), and write files such as screenshots, PDFs, and session states ('references/commands.md').\n
- Sanitization: No evidence of mandatory sanitization or filtering of web-sourced content is present in the skill's instruction files.\n- [EXTERNAL_DOWNLOADS]: The skill uses 'npx' to execute browser automation tools, which may result in the automatic download and execution of packages from the npm registry at runtime.\n- [CREDENTIALS_UNSAFE]: Commands like 'agent-browser state save' and 'agent-browser auth save' store session tokens and authentication profiles in local files. If these files or the required 'AGENT_BROWSER_ENCRYPTION_KEY' are not managed securely, it could result in credential theft.
Audit Metadata