agent-browser
Pass
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is designed to process content from external websites, creating a surface for indirect prompt injection where malicious instructions embedded in web pages could attempt to influence the agent's behavior. \n
- Ingestion points: Untrusted data enters the agent's context through 'agent-browser open', 'agent-browser snapshot', and 'agent-browser get text' commands as seen in SKILL.md. \n
- Boundary markers: The tool supports an optional '--content-boundaries' flag (documented in SKILL.md) to help the agent distinguish page content from tool output, but it is not enforced by default. \n
- Capability inventory: The agent can use the tool to perform network operations, write to the local filesystem (e.g., screenshots, state files), and execute scripts within the browser. \n
- Sanitization: There is no evidence of automatic sanitization or filtering of external content before it is returned to the agent context. \n- [COMMAND_EXECUTION]: The skill includes an 'eval' command that allows for the execution of arbitrary JavaScript within the browser context. This is a powerful dynamic execution capability that could be misused if the agent handles untrusted input within the script. \n- [DATA_EXFILTRATION]: The tool supports the 'file://' protocol and an '--allow-file-access' flag, which provides the capability to read local files. This could lead to sensitive data exposure if the agent is directed to access system files or configuration documents.
Audit Metadata