agent-browser
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (LOW): The skill documentation includes steps to install 'agent-browser' globally via npm and download the Chromium binary. Evidence: 'npm install -g agent-browser' and 'agent-browser install' in SKILL.md. Context: The 'vercel-labs' organization is a trusted source; therefore, the external download finding is downgraded to LOW per [TRUST-SCOPE-RULE].
- COMMAND_EXECUTION (SAFE): The skill utilizes its own CLI to perform web automation tasks. Evidence: Commands such as 'agent-browser open', 'click', and 'fill'. Context: These are standard functional calls for the skill's primary purpose.
- PROMPT_INJECTION (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8) because it retrieves and processes content from external websites. 1. Ingestion points: 'agent-browser snapshot' and 'agent-browser get text' ingest untrusted DOM content into the agent context. 2. Boundary markers: Absent; there are no instructions provided to separate scraped content from system instructions. 3. Capability inventory: The agent has the capability to 'click' elements, 'fill' forms, and take 'screenshot' actions based on its interpretation of the page. 4. Sanitization: Absent; the skill does not implement or suggest filtering of the retrieved web data.
Audit Metadata