agent-browser
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to indirect prompt injection because it ingests untrusted data from the web and possesses powerful write/execute capabilities. \n
- Ingestion points:
agent-browser open,snapshot,get text, andget htmlin SKILL.md. \n - Boundary markers: Absent. \n
- Capability inventory: Arbitrary JavaScript execution (
eval), form manipulation (fill,click), file uploads (upload), and network interception (network route). \n - Sanitization: None detected for extracted web content. \n- [Remote Code Execution] (HIGH): The
evalcommand allows for the execution of arbitrary JavaScript within the browser context. This can be abused if the agent is tricked into running malicious code by a website. Evidence:agent-browser evalin SKILL.md. \n- [Data Exfiltration] (HIGH): The skill provides mechanisms to send local data to external sources or expose session secrets. Evidence:agent-browser upload @e1 file.pdffor file exfiltration andagent-browser cookiesoragent-browser state savefor session data exposure. \n- [Command Execution] (MEDIUM): The skill exposes a wide range of browser control commands including network routing and process-level interaction via CDP. Evidence:agent-browser network routeandagent-browser --cdp 9222in SKILL.md.
Recommendations
- AI detected serious security threats
Audit Metadata