agent-browser
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFE
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill ingests untrusted data from web pages which could contain malicious instructions designed to influence the agent's behavior.
- Ingestion points: Untrusted content enters the agent context through
agent-browser snapshotandagent-browser get textinSKILL.md. - Boundary markers: Protection is optional and must be enabled using the
--content-boundariesflag. - Capability inventory: The skill can execute arbitrary JavaScript via
eval, write files (screenshot,pdf,state save), and perform network navigation across all scripts. - Sanitization: No explicit sanitization or filtering of external content before processing is documented.
- [COMMAND_EXECUTION]: Arbitrary JavaScript Execution. The
agent-browser evalcommand (documented inreferences/commands.md) allows for the execution of arbitrary JavaScript within the browser context. This capability can be used to interact with sensitive DOM elements or exfiltrate data from authenticated sessions. - [DATA_EXFILTRATION]: Sensitive State Storage. The skill's state management features (
state saveand--session-name) store browser session data, including cookies and localStorage tokens, in local files. According toreferences/authentication.md, these contain sensitive session tokens in plaintext unless theAGENT_BROWSER_ENCRYPTION_KEYenvironment variable is specifically set. - [CREDENTIALS_UNSAFE]: Local File Access. The tool supports the
--allow-file-accessflag which allows the browser to open and read local system files viafile://URLs, as shown inSKILL.md. This could lead to the exposure of sensitive local data if the agent is manipulated into accessing unauthorized paths.
Audit Metadata