Skills
skills/dwsy/agent/web-browser/Gen Agent Trust Hub

web-browser

Fail

Audited by Gen Agent Trust Hub on Mar 4, 2026

Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The script scripts/eval.js uses the AsyncFunction constructor to execute arbitrary JavaScript strings provided as command-line arguments within the browser context. This allows for arbitrary code execution on any page the browser navigates to.- [DATA_EXFILTRATION]: Several scripts are designed to extract sensitive user data. scripts/cookies.js allows listing and exporting all browser cookies to a JSON file. scripts/storage.js provides full access to read and write localStorage and sessionStorage. scripts/network.js can capture all network request and response headers, which often contain session tokens and API keys.- [COMMAND_EXECUTION]: The skill provides a large suite of scripts (36 in total) that allow the AI agent to perform any action a human user could, including clicking (click.js), typing (type.js), and submitting forms (submit.js).- [CREDENTIALS_UNSAFE]: As documented in FIX_NOTE.md and examples.js, the scripts/start.js script supports a --profile flag that can copy the user's primary browser profile into the agent's environment, exposing all saved credentials and active sessions to the AI agent.- [EXTERNAL_DOWNLOADS]: scripts/download.js enables the browser to trigger and manage file downloads to the local temporary directory, which could be used to place malicious payloads on the system.- [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection. Since the agent is instructed to read metadata (get-meta.js), element text (get-element.js), and console logs (check-console.js) from arbitrary websites, a malicious webpage could embed instructions that the AI agent might interpret as its own commands.- [PRIVILEGE_ESCALATION]: scripts/start.js specifically detects if it is running as root and automatically disables security sandboxes (--no-sandbox, --disable-setuid-sandbox), significantly increasing the risk if the browser process is compromised.- [OTHER]: scripts/start.js uses the --disable-web-security flag, which bypasses the Same-Origin Policy (SOP). This allows scripts on one website to access data from another origin, facilitating cross-site data theft and session hijacking.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 4, 2026, 06:09 AM