agent-browser
Warn
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill provides an
evalcommand (agent-browser eval) allowing the execution of arbitrary JavaScript within the browser context. This capability is enhanced by support for Base64-encoded strings or STDIN to bypass shell interpretation, which can be leveraged to execute complex logic without detection. - [DATA_EXFILTRATION]: The tool explicitly supports the
--allow-file-accessflag andfile://URL schemes, which allows the agent to read local files from the host system. This could be used to expose sensitive local data to a remote web page or an external endpoint. - [DATA_EXFILTRATION]: Session state including cookies, localStorage, and sessionStorage can be saved to local JSON files (e.g.,
auth-state.json). These files contain sensitive authentication tokens and could lead to account takeover if accessed by unauthorized processes or committed to version control. - [COMMAND_EXECUTION]: The skill is configured with broad
allowed-toolsforBashto execute theagent-browserCLI, giving the agent significant control over the browser process and local file system. - [PROMPT_INJECTION]: The skill is highly vulnerable to Indirect Prompt Injection due to its primary function of ingesting untrusted web content.
- Ingestion points: Website content is processed via
agent-browser snapshot,get text, andget htmlacross all workflow files. - Boundary markers: No explicit boundary markers or safety warnings are implemented to prevent the AI from obeying instructions found inside page content.
- Capability inventory: The agent has access to
Bashsub-processes, browser-sideeval, file-writing capabilities (state save), and full network access. - Sanitization: No sanitization or filtering of external web content is described prior to providing it to the agent context.
Audit Metadata