agent-browser
Warn
Audited by Gen Agent Trust Hub on Mar 22, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [DATA_EXFILTRATION]: The skill allows accessing local files using the --allow-file-access flag and file:// URLs. Evidence: SKILL.md mentions 'agent-browser --allow-file-access open file:///path/to/document.pdf'. This capability, combined with the ability to extract page content via 'snapshot' or 'get text', could be used to expose sensitive local information (such as configuration files or keys) to the agent context.\n- [COMMAND_EXECUTION]: The eval command allows the execution of arbitrary JavaScript within the browser context. Evidence: SKILL.md and references/commands.md describe 'agent-browser eval'. This can be used to perform actions on behalf of the user, scrape sensitive data from authenticated sessions, or interact with page elements in ways not covered by standard commands.\n- [PROMPT_INJECTION]: The skill has a significant surface for indirect prompt injection. \n
- Ingestion points: 'agent-browser open ' followed by 'snapshot' (SKILL.md) where untrusted web content enters the agent context.\n
- Boundary markers: The skill supports 'AGENT_BROWSER_CONTENT_BOUNDARIES' (SKILL.md) which can wrap page output in markers, but it is an opt-in feature and disabled by default.\n
- Capability inventory: 'eval' (JS execution), 'open' (network access), 'download' (file write), 'state save' (file write), 'screenshot' (file write), '--allow-file-access' (local file read).\n
- Sanitization: No mandatory sanitization or filtering of external web content is performed before it is presented to the agent.\n- [EXTERNAL_DOWNLOADS]: The skill references 'npx agent-browser', which downloads and executes code from the npm registry. It also supports remote browser providers, proxies, and the installation of Appium for mobile automation as noted in SKILL.md.
Audit Metadata