agent-browser
Fail
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: The README.md and index.html files instruct users to install the skill using
curl -fsSL https://raw.githubusercontent.com/BowTiedSwan/agent-browser-skill/main/install.sh | bash. This pattern is high-risk as it downloads and executes a shell script from a remote repository without prior verification. - [EXTERNAL_DOWNLOADS]: The
install.shscript performs a global installation of theagent-browserpackage from npm. While the tool is attributed to a well-known organization, the installation script itself resides on a third-party repository. - [COMMAND_EXECUTION]: The skill is designed to run the
agent-browserCLI tool, which allows the agent to execute subprocesses for browser navigation, interaction with elements, and file system writes for screenshots. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its core functionality of reading web data. Ingestion points: External web content enters the agent context through
agent-browser openandsnapshotas described inSKILL.md. Boundary markers: There are no boundary markers or explicit instructions telling the agent to treat retrieved web content as untrusted. Capability inventory: The agent can execute commands, write files (screenshots), and access the network. Sanitization: No sanitization, filtering, or validation is performed on the data extracted from the headless browser before it is provided to the agent for processing.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/BowTiedSwan/agent-browser-skill/main/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata