agent-browser
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill facilitates full browser control using the
agent-browserCLI tool, which allows the agent to navigate to any URL (posing a risk of SSRF if used to access internal metadata services) and perform complex interactions with web pages. - [REMOTE_CODE_EXECUTION]: The
evalcommand enables the execution of arbitrary JavaScript code within the browser context. This power could be abused to manipulate page logic, bypass security controls on websites, or execute instructions provided by malicious web content. - [DATA_EXFILTRATION]: Several commands allow for the movement of sensitive information. The
uploadcommand can be used to send local files to external websites, while thecookies,storage, andstate savecommands provide direct access to session tokens and authentication data. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from the live web. Instructions hidden in page content could influence the agent's behavior when it uses data-gathering tools.
- Ingestion points: Commands such as
snapshot,get text,get html, andconsolebring external web content into the agent's context. - Boundary markers: No explicit markers or "ignore instructions" warnings are defined to separate web content from agent instructions.
- Capability inventory: The agent has access to highly impactful tools including
eval,upload,network route, and session management (cookies,state save). - Sanitization: The instructions do not define any sanitization, filtering, or validation for the content retrieved from the browser.
Audit Metadata