agent-browser
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection via the web content it processes.
- Ingestion points: The agent reads untrusted data from the internet using commands such as
agent-browser open,agent-browser snapshot, andagent-browser get text(SKILL.md). - Boundary markers: No explicit delimiters or instructions are provided to the agent to treat external web content as data rather than instructions.
- Capability inventory: The
agent-browserCLI includes capabilities for network navigation, form interaction, and local file system writes (e.g.,screenshotandstate save). - Sanitization: No sanitization or content validation is performed on the data retrieved from web pages.
- [COMMAND_EXECUTION]: The skill utilizes a custom CLI tool,
agent-browser, to automate web interactions. While this is the intended functionality, it grants the agent a high degree of control over a browser environment which could be abused if the agent is successfully injected. - [DATA_EXFILTRATION]: The skill includes the ability to save sensitive browser session data, including cookies and authentication tokens, to the local file system using the
agent-browser state savecommand. While a legitimate feature for automation, it represents a data exposure risk if not handled carefully.
Audit Metadata