agent-browser
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides a CLI for controlling browser actions, including the ability to execute JavaScript in the page context via the 'eval' command. These features are standard for browser automation tools and are properly documented.
- [PROMPT_INJECTION]: The skill manages the risk of indirect prompt injection from web content.
- Ingestion points: Page content is ingested through 'snapshot' and 'get text' commands.
- Boundary markers: The skill includes an 'AGENT_BROWSER_CONTENT_BOUNDARIES' feature that wraps untrusted content in nonced markers to maintain instruction-data separation.
- Capability inventory: The tool can write files (screenshots, PDFs), read local files (when permitted), and access the network.
- Sanitization: Implements content delimiters to prevent the model from following instructions found within scraped web data.
- [EXTERNAL_DOWNLOADS]: The 'download' command allows the agent to trigger file downloads from websites, which is an intended core functionality.
- [CREDENTIALS_UNSAFE]: Features an 'Auth Vault' that encrypts user credentials locally, preventing sensitive passwords from being exposed in the agent's prompt history.
- [DATA_EXFILTRATION]: Provides an '--allow-file-access' flag to allow the browser to process local files. While this is a sensitive capability, it is documented as an opt-in feature for processing local documents like PDFs.
Audit Metadata