Skills
skills/browserbase/skills/autobrowse/Gen Agent Trust Hub

autobrowse

Warn

Audited by Gen Agent Trust Hub on Apr 23, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
  • [COMMAND_EXECUTION]: The scripts/evaluate.mjs script uses execFileSync to execute the browse CLI tool. While the script attempts to sanitize inputs using a custom parser and restricts execution to the browse command, it still executes a binary using arguments derived from the agent's output.
  • [PERSISTENCE_MECHANISMS]: The skill instructs the agent to 'graduate' successful strategies by writing new SKILL.md files directly into the agent's local configuration directory (~/.claude/skills/). This allows the skill to dynamically expand the agent's capabilities and persist new logic across sessions without manual user verification of the generated skill's safety.
  • [INDIRECT_PROMPT_INJECTION]: The skill implements a feedback loop where an 'inner agent' reads accessibility trees (snapshots) from external, untrusted websites. These snapshots are then processed by an 'outer agent' to improve navigation strategies. A malicious website could embed instructions within its HTML or accessibility metadata designed to influence the outer agent's strategy generation or trigger unintended actions.
  • [DATA_EXFILTRATION]: The skill requires and handles sensitive credentials, specifically ANTHROPIC_API_KEY and BROWSERBASE_API_KEY. It transmits browsing session data and task instructions to Browserbase (a third-party platform) when running in remote mode. While this is the intended functionality for the vendor's service, it involves the transmission of potentially sensitive task data to an external provider.
  • [REMOTE_CODE_EXECUTION]: The graduation process effectively generates and installs new executable instructions (skills) based on data retrieved during remote browsing sessions. This creates a path where remote web content can indirectly influence the creation of permanent, executable skills on the user's machine.
  • [CREDENTIALS_UNSAFE]: The documentation and .env.example file encourage the storage of highly sensitive API keys in local .env files. While this is a common development practice, the evaluate.mjs script automatically loads these keys into the environment where they are accessible to the inner agent process.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 23, 2026, 11:12 PM