agent-browser
Warn
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: Access and exfiltration of sensitive data through browser controls.\n
agent-browser uploadallows the agent to select and send local files to remote websites.\nagent-browser cookiesandagent-browser storage localprovide tools to retrieve session tokens, credentials, and personally identifiable information (PII) from the browser context.\nagent-browser state saveenables the agent to write session state, including authentication cookies, to a local file for later persistence.\n- [COMMAND_EXECUTION]: Arbitrary code execution within the browser environment.\nagent-browser evalallows the execution of arbitrary JavaScript strings, which can be used to bypass UI constraints or manipulate page logic in ways not intended by the user.\nagent-browser wait --fnevaluates JavaScript conditions to gate execution flows.\n- [PROMPT_INJECTION]: High risk of indirect prompt injection from processing external web content.\n- Ingestion points: The agent retrieves untrusted content from the web using
agent-browser snapshot,agent-browser get text, andagent-browser get htmlinSKILL.md.\n - Boundary markers: The skill does not provide any delimiters or instructions to help the agent distinguish between trusted instructions and untrusted data fetched from the DOM.\n
- Capability inventory: The agent has extensive capabilities including file system write (
state save), local file read/upload (upload), and script execution (eval).\n - Sanitization: No sanitization, validation, or filtering of the extracted web content is implemented before it is presented to the agent's context.
Audit Metadata