agent-browser
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill explicitly supports the
file://protocol in theagent-browser opencommand. This enables an agent to access sensitive local files such asfile:///etc/passwd, SSH keys, or configuration files, which can then be extracted usingsnapshotorget textcommands. - [COMMAND_EXECUTION]: The
agent-browser evalcommand allows for the execution of arbitrary JavaScript within the browser context. If the input to this command is derived from untrusted web content or user input, it creates a significant dynamic execution vector. - [COMMAND_EXECUTION]: The
--executable-pathglobal option allows the skill to launch arbitrary binaries from the local filesystem instead of a standard browser, which could be exploited to execute malicious code with the agent's privileges. - [CREDENTIALS_UNSAFE]: Multiple commands such as
agent-browser set credentials <user> <pass>,set headers, andcookies setencourage the passing of sensitive secrets as plaintext arguments. These secrets may be exposed in shell command histories, process monitors, or logging systems. - [PROMPT_INJECTION]: As a browser automation tool, the skill is highly susceptible to Indirect Prompt Injection. It processes untrusted data from external websites via snapshots and text extraction; an attacker could embed malicious instructions in a webpage to hijack the agent's logic once the page is 'read'.
- [DATA_EXFILTRATION]: The
agent-browser state savecommand persists session cookies and authentication tokens to local files (e.g.,auth-state.json). While the documentation warns against committing these files, their presence on disk represents a risk of credential exposure if the environment is compromised.
Recommendations
- AI detected serious security threats
Audit Metadata