Skills
skills/fradser/dotclaude/agent-browser/Gen Agent Trust Hub

agent-browser

Warn

Audited by Gen Agent Trust Hub on Mar 13, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [REMOTE_CODE_EXECUTION]: Enables execution of arbitrary code within the browser context.\n
  • Evidence: The eval and wait --fn commands allow running arbitrary JavaScript on the current page.\n- [DATA_EXFILTRATION]: Provides tools to extract and persist sensitive session data and local files.\n
  • Evidence: Commands cookies and storage local retrieve session tokens and local application data.\n
  • Evidence: The state save command writes the browser's current state (including cookies) to a local JSON file.\n
  • Evidence: Support for the file:// protocol in the open command allows reading local file system content into the browser.\n- [PROMPT_INJECTION]: Creates an attack surface for indirect prompt injection from untrusted web sources.\n
  • Ingestion points: Untrusted content is ingested via agent-browser open <url> and processed using snapshot.\n
  • Capability inventory: High-privilege capabilities include file writing (PDF/screenshots), state persistence, and network routing.\n
  • Boundary markers: No delimiters or "ignore" instructions are used when processing web content.\n
  • Sanitization: No evidence that web content is sanitized before being passed to the agent.\n- [EXTERNAL_DOWNLOADS]: Allows loading external browser extensions and connecting to remote cloud browser providers.\n
  • Evidence: The --extension and --provider flags allow integrating external components.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 13, 2026, 11:03 AM