agent-browser
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies extensively on a local CLI tool
agent-browservia Bash. It provides full control over the browser environment, including network routing, device emulation, and session management. - [DATA_EXFILTRATION]: Several commands allow for the extraction of sensitive information from the browser session:
agent-browser cookies: Allows reading all session cookies, which may include authentication tokens.agent-browser storage local: Grants access to the browser's local storage data.agent-browser get html / text: Extracts page content which could contain PII or sensitive internal data.agent-browser screenshot / pdf: Can be used to capture and potentially exfiltrate visual information.- [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection (Category 8).
- Ingestion points: Untrusted data enters the agent context via
agent-browser open,snapshot, andget textfrom arbitrary URLs. - Boundary markers: The provided instructions do not include delimiters or warnings to ignore instructions embedded within the retrieved web content.
- Capability inventory: The agent has the ability to execute network requests, write files (
screenshot path.png,pdf output.pdf,state save auth.json), and execute JavaScript (eval). - Sanitization: There is no evidence of sanitization for content retrieved from web pages before it is processed by the agent.
- [REMOTE_CODE_EXECUTION]: The
agent-browser evalcommand allows for the execution of arbitrary JavaScript within the context of the loaded web page. While sandboxed by the browser, this allows for complex interactions and data manipulation that could be exploited if the agent is misled by malicious page content.
Audit Metadata