agent-browser
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill's core purpose is to ingest and act upon untrusted web content. This creates a significant attack surface.
- Ingestion points:
agent-browser snapshotandagent-browser getcommands ingest data from arbitrary URLs. - Boundary markers: None. There are no instructions to the agent to distinguish between tool-provided instructions and web content.
- Capability inventory: High-impact capabilities include
click,fill,screenshot,pdf, andselect, which allow for state-changing actions and data capture. - Sanitization: No sanitization or filtering of the web content is performed before it is presented to the agent's context.
- [External Downloads] (LOW): The skill requires installing
agent-browservia npm and downloading the Chromium browser. Per [TRUST-SCOPE-RULE], this is downgraded to LOW as it originates from a trusted organization (Vercel), but still represents the execution of external binaries. - [Data Exfiltration / Exposure] (MEDIUM): The tool can be used to navigate to internal network services (SSRF) or local file systems (via
file://). The agent can then exfiltrate this data usingscreenshotto save files locally orget textto read contents into its memory. - [Command Execution] (MEDIUM): The skill relies on shell command execution. If URLs or input strings are not properly sanitized by the underlying agent before being passed to the
agent-browserCLI, it could lead to command injection on the host system.
Recommendations
- AI detected serious security threats
Audit Metadata