agent-browser
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection, where malicious instructions embedded in untrusted web pages could be interpreted by the agent during automation or scraping tasks.\n
- Ingestion points: Web page content retrieved via
snapshot,get text, andscreenshot --annotateinSKILL.mdandreferences/snapshot-refs.md.\n - Boundary markers: The skill includes an optional
AGENT_BROWSER_CONTENT_BOUNDARIESfeature to help the agent distinguish between tool output and page content.\n - Capability inventory: Includes JavaScript execution (
eval), file system interaction (download,upload), and local file access viafile://URLs.\n - Sanitization: No explicit sanitization of web content is performed before it is returned to the agent's context, relying on opt-in boundaries.\n- [DATA_EXFILTRATION]: The tool can access local files via the
file://protocol if the--allow-file-accessflag is used (documented inSKILL.md). This capability could be exploited to read sensitive files from the host system if the agent is directed to malicious or unauthorized local paths.\n- [REMOTE_CODE_EXECUTION]: Theevalcommand (documented inreferences/commands.md) allows the execution of arbitrary JavaScript within the browser context. While a core feature for automation, it represents a significant risk if the executed code is influenced by untrusted external data.\n- [COMMAND_EXECUTION]: The skill operates by executingagent-browserornpx agent-browsercommands in a shell environment, granting the agent programmatic control over browser sessions.
Audit Metadata