browser-tools
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The
browser-cookies.jsscript extracts and prints all browser cookies from the active session to the console, which can include sensitive session tokens and authentication data used for debugging session state.\n- [DATA_EXFILTRATION]: Thebrowser-start.jsutility accesses sensitive browser profile directories such as~/.config/google-chrome/or~/Library/Application Support/Google/Chrome/to duplicate user session data (cookies, logins, and history) for the agent's browser instance.\n- [COMMAND_EXECUTION]:browser-start.jsutilizesexecSyncandspawnto run system commands likemkdir,rm, andrsyncfor managing browser profile directories and launching the browser with remote debugging enabled.\n- [PROMPT_INJECTION]: Thebrowser-content.jsscript fetches and processes untrusted external website content into markdown, creating a surface for indirect prompt injection attacks.\n - Ingestion points:
browser-content.js(scrapes the fullouterHTMLof any URL provided as an argument).\n - Boundary markers: None present in the scripts to delimit external content or warn the agent to ignore instructions embedded within the processed text.\n
- Capability inventory: The skill provides high-risk capabilities including
browser-eval.js(arbitrary JavaScript execution) andbrowser-cookies.js(credential access).\n - Sanitization: While the script uses Mozilla's
ReadabilityandTurndownto filter HTML, it does not sanitize the resulting text for adversarial instructions targeting the agent.
Audit Metadata