agent-browser
Warn
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The
evalcommand allows for the execution of arbitrary JavaScript within the browser context. The tool explicitly supports a-bor--base64flag to execute Base64-encoded scripts, which serves as a method for obfuscating executable logic to bypass shell character restrictions.\n- [DATA_EXFILTRATION]: The skill can access the local filesystem through the--allow-file-accessflag (e.g.,agent-browser --allow-file-access open file:///path/to/document.pdf). It also facilitates the persistent storage of sensitive session data, cookies, and passwords on the local disk via thestate saveandauth savecommands.\n- [PROMPT_INJECTION]: The skill is highly vulnerable to Indirect Prompt Injection as it is designed to ingest and process untrusted data from external websites.\n - Ingestion points: Data enters the agent's context through
open,snapshot, andget textcommands.\n - Boundary markers: The tool provides an optional
--content-boundariesfeature to help the agent distinguish page content, but it is not enabled by default.\n - Capability inventory: The tool possesses capabilities for network access, filesystem writes (for screenshots, PDFs, and state files), and credential management.\n
- Sanitization: There is no documented evidence of automated sanitization or filtering of the web content before it is returned to the agent.\n- [EXTERNAL_DOWNLOADS]: The skill instructions rely on
npx agent-browser:*, which triggers the download and execution of packages from the NPM registry at runtime, introducing a dependency on external package integrity.\n- [REMOTE_CODE_EXECUTION]: The combination of arbitrary navigation and browser-sideevalcapabilities creates a significant vector where malicious web content could influence the execution of code within the browser session.
Audit Metadata