web-access
Warn
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes several local shell scripts (
check-deps.sh,ensure-browser.sh,close-browser.sh) to manage its execution environment and control browser processes. - [COMMAND_EXECUTION]: The skill relies on the
agent-browserCLI tool for comprehensive browser automation, enabling the agent to navigate URLs, click elements, and fill forms. - [COMMAND_EXECUTION]: The agent is granted the ability to execute arbitrary JavaScript within the browser context via the
agent-browser evalcommand, allowing for dynamic page interaction. - [DATA_EXFILTRATION]: The skill provides tools to extract sensitive browser data, specifically the ability to list all cookies and view local storage content through
agent-browsercommands. - [CREDENTIALS_UNSAFE]: Browser session data, including authentication cookies and storage, is persisted in the
~/.claude/browser-profile/directory to maintain user states across different sessions. - [EXTERNAL_DOWNLOADS]: The skill's setup instructions guide the agent to install external dependencies, specifically the
agent-browserpackage from a global NPM registry. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection when processing content from the web.
- Ingestion points: Data is ingested from search results and external web pages accessed via
WebFetchoragent-browserinteractions. - Boundary markers: There are no explicit delimiters or instructions to ignore embedded commands in the fetched web content.
- Capability inventory: The skill can execute shell scripts, manage local files (browser profile), and perform browser-based actions like typing and executing JavaScript.
- Sanitization: External content is processed and presented to the AI without sanitization or validation.
Audit Metadata