Skills
skills/clawdbrunner/skill-agent-browser/agent-browser/Gen Agent Trust Hub

agent-browser

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS] (LOW): The skill requires a global installation of agent-browser via npm and the subsequent download of Chromium.
  • Evidence: npm install -g agent-browser and agent-browser install are listed as prerequisites in both README.md and SKILL.md.
  • Trust Status: The 'vercel-labs' organization is a trusted source, downgrading this specific finding to LOW.
  • [COMMAND_EXECUTION] (HIGH): The skill facilitates the execution of numerous shell commands to interact with a browser daemon.
  • Evidence: Commands such as agent-browser click, agent-browser fill, and agent-browser open are primary functionalities described in SKILL.md.
  • Risk: If an agent is tricked into executing these with malicious parameters (e.g., clicking a 'Delete' button or navigating to a phishing site), the impact is significant.
  • [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) because it processes untrusted external data (websites).
  • Ingestion points: agent-browser snapshot reads the accessibility tree of any URL the agent visits.
  • Boundary markers: None. There are no instructions or delimiters to help the agent distinguish between its instructions and the text found on a website.
  • Capability inventory: The skill has full 'write' capabilities in the browser context, including click, fill, type, and navigation.
  • Sanitization: None. The accessibility tree/JSON output is passed directly to the AI agent.
  • Severity: HIGH. The combination of reading external content and possessing interactive capabilities allows a website to essentially 'command' the agent via the browser UI.
  • [CREDENTIALS_UNSAFE] (MEDIUM): The skill supports the use of persistent browser profiles and custom headers, which are likely to contain session cookies or authentication tokens.
  • Evidence: Documentation for --profile <path> and --headers <json> in SKILL.md.
  • Risk: While not hardcoded, the skill facilitates the exposure of these sensitive assets to the agent's logic and potentially to the web pages it interacts with.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 01:30 PM