agent-browser
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill contains templates designed to capture and process content from external, untrusted websites.
- Ingestion points: Untrusted data enters the context via
agent-browser get text,agent-browser snapshot, andagent-browser pdfintemplates/capture-workflow.shandtemplates/form-automation.sh. - Boundary markers: No explicit boundary markers or instructions to ignore embedded commands are present in the shell templates.
- Capability inventory: The skill leverages
agent-browserfor full browser control, including navigation, form submission, and file system writes (screenshots, PDFs, text logs). - Sanitization: No sanitization or filtering is performed on extracted web content before it is saved to the local file system or presented to the agent.
- [Data Exposure & Exfiltration] (SAFE): The documentation correctly identifies the risk of session token exposure in state files and provides explicit guidance on using
.gitignoreand environment variables to mitigate credential leakage. - [Remote Code Execution] (SAFE): No patterns of downloading and executing remote scripts (e.g.,
curl | bash) were detected. The skill relies on a local installation of theagent-browserutility.
Audit Metadata