Skills
skills/elie222/inbox-zero/agent-browser/Gen Agent Trust Hub

agent-browser

Warn

Audited by Gen Agent Trust Hub on Apr 5, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill makes extensive use of the agent-browser CLI through Bash commands to perform web automation tasks.
  • Evidence: allowed-tools in SKILL.md permits Bash(agent-browser:*) and Bash(npx agent-browser:*).
  • [REMOTE_CODE_EXECUTION]: The eval command allows the agent to execute arbitrary JavaScript code within the browser context. This can be used to bypass tool restrictions or perform complex actions on pages.
  • Evidence: agent-browser eval is documented in SKILL.md and references/commands.md, including recommendations to use Base64 encoding (-b) or stdin to bypass shell interpretation.
  • [DATA_EXFILTRATION]: The skill provides multiple ways to access or extract sensitive data from the local system or web environment.
  • Sensitive File Access: Supports the file:// protocol, allowing the agent to read local files if --allow-file-access is enabled.
  • Evidence: SKILL.md section on "Local Files (PDFs, HTML)".
  • Clipboard Access: Includes commands to read from the system clipboard.
  • Evidence: agent-browser clipboard read in SKILL.md and references/commands.md.
  • Network Inspection: Allows tracking and inspecting all network requests made by the browser.
  • Evidence: agent-browser network requests in references/commands.md.
  • [CREDENTIALS_UNSAFE]: Session states and credentials are saved in potentially insecure ways.
  • Plaintext Tokens: The skill saves session cookies and localStorage to files in plaintext by default. While encryption is supported, it requires the user to manually set an environment variable.
  • Evidence: SKILL.md section on "Handling Authentication" states: "State files contain session tokens in plaintext".
  • Credential Storage: The auth vault stores credentials locally. While noted as encrypted, it represents a centralized target for harvesting.
  • Evidence: agent-browser auth save in SKILL.md.
  • [EXTERNAL_DOWNLOADS]: The skill involves downloading external binaries and content from the web.
  • Binary Installation: agent-browser install downloads the Chrome/Chromium binary at runtime.
  • Evidence: SKILL.md installation section.
  • File Downloads: The download command can be used to fetch files from the web to the local filesystem.
  • Evidence: agent-browser download @e1 ./file.pdf in SKILL.md.
  • [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection because it processes untrusted data from any website while possessing powerful capabilities (FS access, JS execution).
  • Ingestion points: open, snapshot, get text (all files).
  • Boundary markers: Opt-in mitigation via --content-boundaries (documented in SKILL.md).
  • Capability inventory: Subprocess calls (tool execution), JS execution (eval), file system writes (state save, screenshot), network operations.
  • Sanitization: Relies on the user to configure domain allowlists or action policies.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 5, 2026, 06:12 PM