Skills
skills/code-yeongyu/oh-my-openagent/agent-browser/Gen Agent Trust Hub

agent-browser

Fail

Audited by Gen Agent Trust Hub on Mar 14, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The eval and eval -b commands allow for arbitrary JavaScript execution within the browser context. The -b flag specifically facilitates the execution of Base64 encoded code, which is a common obfuscation technique used to bypass security filters and hide malicious intent.
  • [DATA_EXFILTRATION]: The --allow-file-access flag permits the browser to access local system files via file:// URLs. This capability can be weaponized to read sensitive local data, such as SSH keys or cloud credentials, which can then be exfiltrated through the browser's network capabilities or extracted via the agent's output.
  • [DATA_EXFILTRATION]: Commands such as cookies, storage local, and get html provide direct access to sensitive session data and authentication tokens. The state save command further allows persisting this sensitive data to disk, creating a risk of credential theft if the state files are accessed by unauthorized users.
  • [EXTERNAL_DOWNLOADS]: The agent-browser install command downloads and installs Chromium browser binaries and system dependencies from remote servers. While the tool originates from a trusted organization (Vercel Labs), the execution of remote installation scripts and binary downloads remains a critical operation that should be monitored.
  • [PROMPT_INJECTION]: The skill is highly susceptible to Indirect Prompt Injection as its primary function is to ingest and process untrusted data from the web.
  • Ingestion points: Web content is ingested through snapshot, get text, get html, and console logs.
  • Boundary markers: The skill mentions an optional --content-boundaries flag to delimit output, but it is not active by default in the command examples.
  • Capability inventory: The skill possesses powerful capabilities including arbitrary code execution (eval), network routing/interception, and local file access (--allow-file-access).
  • Sanitization: While features like --max-output and --allowed-domains exist, they are optional and do not prevent the initial injection from occurring during data ingestion.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 14, 2026, 02:29 AM