agent-browser
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill provides an
evalcommand that allows the execution of arbitrary JavaScript within the browser context. This allows for dynamic code execution which can be used to manipulate page content or exfiltrate data from the browser session. - [DATA_EXFILTRATION]: Several commands allow for the extraction of sensitive session data, including
cookies(retrieves all cookies),storage local(accesses localStorage), andstate save(persists session/auth state to a local file). - [DATA_EXFILTRATION]: The
uploadcommand allows the agent to select and upload local files to web pages, which could be misused to exfiltrate local system files to a remote server. - [COMMAND_EXECUTION]: The skill exposes a wide-reaching CLI tool (
agent-browser) with full control over browser behavior, including network routing/interception (network route) and low-level input emulation. - [INDIRECT_PROMPT_INJECTION]:
- Ingestion points: The skill ingests untrusted data from any URL opened via
agent-browser openand processes it viasnapshotandgetcommands. - Boundary markers: None identified; the agent processes the raw accessibility tree and DOM content.
- Capability inventory: The skill possesses high-impact capabilities including
eval(JS execution),upload(file access), andcookies/storage(session data access). - Sanitization: No evidence of sanitization or filtering of the content retrieved from web pages before it is presented to the agent.
Audit Metadata