agent-browser
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from the web.
- Ingestion points: Web content is ingested via
agent-browser open,agent-browser snapshot, andagent-browser get textcommands. - Boundary markers: None identified; the skill does not instruct the agent to ignore or delimit embedded instructions within the fetched web content.
- Capability inventory: The skill has significant capabilities including file writing (
agent-browser state save), JavaScript execution (agent-browser eval), and network access via the browser. - Sanitization: There is no mention of sanitization or filtering of the content retrieved from web pages before it is processed by the agent.
- [DATA_EXFILTRATION]: The skill provides tools to access and manage sensitive session data which could be abused for exfiltration.
- Evidence: Commands like
agent-browser cookies,agent-browser storage local, andagent-browser state save auth.jsonallow the agent to read and export session tokens, authentication cookies, and local storage data. - [COMMAND_EXECUTION]: The skill allows for dynamic execution of code within the browser context.
- Evidence: The
agent-browser eval "<javascript>"command enables the execution of arbitrary JavaScript code within the loaded web page, which could be used to manipulate page logic or bypass security controls (e.g., Content Security Policy) if the agent is misled.
Audit Metadata