agent-browser
Warn
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill implements commands like
agent-browser evaland thewait --fnoption, which enable the execution of arbitrary JavaScript code directly within the browser's execution environment. - [DATA_EXFILTRATION]: The tool includes capabilities to retrieve sensitive user data, specifically through the
agent-browser cookiesandagent-browser storage localcommands, which expose session information and stored application data. - [DATA_EXFILTRATION]: The navigation functionality in
agent-browser openexplicitly supports thefile://protocol, which can be leveraged to access and read files from the local file system through the browser interface. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its core design of interacting with external, untrusted web content.
- Ingestion points: Untrusted data enters the agent's context through every web page navigated to using the
opencommand. - Boundary markers: There are no specified mechanisms or instructions to demarcate or ignore potentially malicious instructions embedded within the HTML or DOM of target websites.
- Capability inventory: The skill possesses the ability to write to the file system (
screenshot,pdf,state save), modify network behavior (network route), and execute logic (eval). - Sanitization: The documentation does not describe any sanitization, filtering, or validation processes for data extracted from web pages before it is processed by the agent.
- [CREDENTIALS_UNSAFE]: Commands such as
agent-browser set credentialsand proxy configurations with inline authentication encourage the handling of sensitive credentials in plaintext, which may be captured in command histories or logs.
Audit Metadata