Browser Automation
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted content from the web.
- Ingestion points: The skill uses
browser_navigateto access external URLs and tools likeextract_textandextract_allto ingest data from these pages into the agent's context. - Boundary markers: There are no defined boundary markers or system instructions within the skill to differentiate between legitimate user commands and instructions that might be embedded in the web pages being browsed.
- Capability inventory: The skill provides high-impact capabilities including
browser_click,browser_type, andbrowser_screenshot. If an attacker-controlled website successfully injects instructions, they could potentially trick the agent into performing actions on other sites (e.g., clicking buttons or typing data). - Sanitization: The skill does not implement any visible sanitization or filtering of the extracted web content before it is processed by the agent.
Audit Metadata