Skills
skills/danielmiessler/personal_ai_infrastructure/Browser/Gen Agent Trust Hub

Browser

Pass

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION] (LOW): Indirect Prompt Injection Surface (Category 8).
  • Ingestion points: The skill fetches untrusted data from the internet via navigate() and Browse.ts CLI.
  • Boundary markers: None present in the code or instructions to delimit untrusted web content from agent instructions.
  • Capability inventory: Significant capabilities including clicking, form filling, file uploading, and arbitrary JavaScript execution, which could be exploited by malicious content on a webpage.
  • Sanitization: Lacks sanitization for interactive components, though optional HTML minification/cleaning is available for extraction.
  • [COMMAND_EXECUTION] (LOW): Potential for command injection through shell-based browser opening.
  • Evidence: SKILL.md documentation includes the command open -a "$BROWSER" "<url>". If the URL or BROWSER variables are derived from untrusted input without sanitization, this could lead to local command execution.
  • [EXTERNAL_DOWNLOADS] (SAFE): A workflow instructions file suggests downloading a README from a trusted source for comparison.
  • Evidence: curl targeting microsoft/playwright-mcp (GitHub trusted organization).
  • [COMMAND_EXECUTION] (LOW): Provides a direct method for the agent to execute arbitrary JavaScript within the browser page.
  • Evidence: The eval command in Browse.ts and the evaluate() method in the core API allow for script execution in the context of the loaded page.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 17, 2026, 06:02 PM