browser
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill exposes an indirect prompt injection surface by processing untrusted web content through an LLM to drive browser actions.
- Ingestion points: Untrusted data enters the agent context from any web page loaded via the
browser navigatecommand in SKILL.md. - Boundary markers: The documentation does not describe the use of delimiters or 'ignore' instructions to prevent the agent from obeying commands embedded in page HTML or text.
- Capability inventory: The skill can perform complex browser actions (
act), extract structured data (extract), and capture screenshots, which could be abused if the agent is misled by page content. - Sanitization: No evidence is provided for sanitization or filtering of external web content before it is processed by the underlying AI model.
- [COMMAND_EXECUTION]: The skill performs dynamic execution of browser instructions and requires local system modifications during setup.
- The
browser actcommand uses Claude to interpret and execute actions within the browser environment at runtime. - The setup instructions in SKILL.md require
npm link, which modifies the global system path to register the CLI tool. - [EXTERNAL_DOWNLOADS]: The skill manages external code dependencies and browser-initiated file downloads.
- Downloads the
@browserbasehq/stagehandpackage from the npm registry, which is a verified vendor resource for this skill. - Configures the browser via the Chrome DevTools Protocol to allow automatic file downloads to a local directory without enforcing file type restrictions, as described in REFERENCE.md.
Audit Metadata