browser
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the
@browserbasehq/stagehandand@anthropic-ai/claude-agent-sdkpackages via NPM. These are recognized as legitimate resources from a trusted vendor and are used for the skill's core functionality. - [COMMAND_EXECUTION]: The skill provides a CLI tool (
browser) that executes browser automation commands. This is the primary function of the skill and uses standard Playwright/Stagehand wrappers to interact with a local or remote Chrome instance. - [DATA_EXFILTRATION]: The skill uses a persistent browser profile located in
.chrome-profile/. This is used to store session data and cookies to support authenticated workflows across multiple runs, which is expected behavior for browser automation tools. - [PROMPT_INJECTION]: The skill presents an attack surface for indirect prompt injection due to its interaction with live web content.
- Ingestion points: Untrusted data is ingested whenever the agent navigates to a URL or extracts information from a webpage, such as the e-commerce or news examples provided in
EXAMPLES.md. - Boundary markers: The documentation does not explicitly detail the use of boundary markers or instructions to ignore embedded commands when the agent processes the resulting page data.
- Capability inventory: The skill has extensive capabilities including navigation, clicking, typing, and data extraction, which could be leveraged if the agent follows instructions found on a malicious website.
- Sanitization: The skill relies on the underlying LLM's logic and the Stagehand library to interpret web elements and instructions, without specific mention of content sanitization or filtering.
Audit Metadata