claude-browser
Pass
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection vulnerability surface.
- Ingestion points: Data enters the agent context through
read_page,get_page_text,read_console_messages, andread_network_requeststools in SKILL.md. - Boundary markers: The skill does not define delimiters or provide instructions to ignore commands embedded in the ingested web content.
- Capability inventory: The skill has access to powerful tools including
javascript_tool(arbitrary JS execution),form_input(user interaction),computer(mouse/keyboard control), andupload_image(data capture). - Sanitization: No sanitization or validation of the ingested external content is described.
- [COMMAND_EXECUTION]: The
javascript_toolallows the agent to execute arbitrary code within the context of the user's browser tabs, providing a vector for exploitation if the agent is misled by malicious data. - [DATA_EXFILTRATION]: The skill targets authenticated web applications and provides tools (
read_page,read_network_requests,upload_image) that could be used to extract sensitive session data, cookies, or personal information if manipulated.
Audit Metadata