agent-browser
Warn
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill operates by executing
agent-browserCLI commands through a shell interface.\n- [REMOTE_CODE_EXECUTION]: Arbitrary JavaScript can be executed in the browser context via theevalcommand, with documentation suggesting Base64 encoding to bypass shell interpretation which could obfuscate malicious logic.\n- [DATA_EXFILTRATION]: The tool can access and extract data from arbitrary URLs and local files via thefile://protocol if the--allow-file-accessflag is used, creating a risk of local data exposure.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection from web content.\n - Ingestion points: Web data is read via
snapshotandget textcommands inSKILL.md.\n - Boundary markers: The
AGENT_BROWSER_CONTENT_BOUNDARIESfeature provides markers to delimit tool output.\n - Capability inventory: Commands like
eval,click, andfillprovide extensive control over the session.\n - Sanitization: No explicit content sanitization is described beyond the use of boundary markers.\n- [EXTERNAL_DOWNLOADS]: The skill fetches and executes the
agent-browsertool from the npm registry usingnpx.
Audit Metadata