agent-browser
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill includes an
evalcommand that allows the execution of arbitrary JavaScript within the browser instance. This capability poses a risk if malicious code is introduced via untrusted inputs or indirect injection. - [DATA_EXFILTRATION]: Through the
--allow-file-accessflag, the browser can access local system files using thefile://protocol. This creates a risk of exposing local data if combined with the tool's extraction or network navigation features. - [CREDENTIALS_UNSAFE]: Features like
auth saveandstate savestore sensitive authentication data, cookies, and session tokens in local files such asauth-state.json. If these files are compromised or accidentally committed to version control, it leads to credential exposure. - [EXTERNAL_DOWNLOADS]: The skill utilizes
npx agent-browser, which dynamically downloads and executes the browser automation tool from the NPM registry. - [PROMPT_INJECTION]: The tool is vulnerable to indirect prompt injection by ingesting untrusted web data into the agent's context. Ingestion points:
agent-browser snapshot,agent-browser get text, andagent-browser get html(referenced in SKILL.md and capture-workflow.sh). Boundary markers: Optional support forAGENT_BROWSER_CONTENT_BOUNDARIESto wrap page-sourced output is available but not enforced. Capability inventory: Extensive browser automation includingeval(command execution), local file access via--allow-file-access, and network navigation. Sanitization: Content from the browser is returned to the agent without mandatory sanitization or filtering.
Audit Metadata