agent-browser
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of an external package 'agent-browser' via
npm install -g agent-browserand subsequently downloads Chromium throughagent-browser install. These resources do not originate from a recognized trusted organization or well-known service. - [REMOTE_CODE_EXECUTION]: The
agent-browser evalcommand allows the agent to execute arbitrary JavaScript strings within the browser session. This capability provides a direct vector for code execution in the browser context, which can be exploited to interact with sensitive session data or bypass client-side security. - [COMMAND_EXECUTION]: The skill utilizes the
Bashtool to perform complex browser interactions (open, click, fill, screenshot). This gives the agent broad control over a browser process running on the host system. - [PROMPT_INJECTION]: The skill is highly vulnerable to Indirect Prompt Injection as it processes untrusted content from the web.
- Ingestion points: Web content is ingested into the agent context via
agent-browser snapshot,agent-browser get text, andagent-browser get htmlas described inSKILL.mdandreferences/ai-snapshot-workflow.md. - Boundary markers: Absent. The instructions do not provide delimiters or warnings to treat the retrieved web content as untrusted data.
- Capability inventory: The agent has access to
Bash, can execute arbitrary JS viaeval, set credentials, and manage cookies/storage. - Sanitization: Absent. There is no evidence of filtering or sanitizing the retrieved HTML or text before it is presented to the agent for decision-making.
Audit Metadata