browser-pilot
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Obfuscation (MEDIUM): The skill documentation explicitly instructs the agent: "DO NOT read the source until you try running the script first... They exist to be called directly as black-box scripts rather than ingested into your context window." This is an evasion tactic that prevents the AI from performing security analysis on the underlying logic before execution.
- Dynamic Execution (MEDIUM): The eval command (
node .browser-pilot/bp eval -e <javascript-expression>) allows for arbitrary JavaScript execution within the browser context. While useful for automation, it can be abused if the agent is influenced by untrusted input to execute malicious scripts. - Indirect Prompt Injection (LOW): The skill is designed to browse and interact with arbitrary web content, making it vulnerable to instructions embedded in websites. Ingestion points: Navigates to arbitrary URLs via
navigate, extracts page content viaextractandcontent. Boundary markers: Absent. The instructions do not warn the agent to ignore instructions found within the scraped web content. Capability inventory: Full browser control includingclick,fill,eval, and access tocookies. Sanitization: No sanitization or safety filtering of page content before processing is documented.
Audit Metadata