agent-browser
Warn
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill's primary entry point is via
npx agent-browser, which dynamically fetches and executes the automation engine from the npm registry at runtime. - [REMOTE_CODE_EXECUTION]: The
evalcommand permits the execution of arbitrary JavaScript within the browser environment. The skill documentation explicitly supports and recommends Base64 encoding or stdin for these scripts to bypass shell escaping, which can obfuscate the code's intent. - [COMMAND_EXECUTION]: The skill provides extensive capabilities to run browser instances, including support for custom browser binaries via the
--executable-pathflag and the ability to load arbitrary browser extensions. - [DATA_EXFILTRATION]: When the
--allow-file-accessflag is used, the agent can navigate tofile://URLs, allowing it to read and extract sensitive local files via screenshots, PDF generation, or text extraction commands. - [PROMPT_INJECTION]: As the skill is designed to process external web content, it is susceptible to indirect prompt injection where malicious instructions on a webpage could influence the agent's behavior. The skill includes an optional
--content-boundariesfeature to help mitigate this risk. - [CREDENTIALS_UNSAFE]: The
auth vaultfunctionality stores sensitive credentials in a local state. While it supports encryption, the security of these secrets relies on the management of theAGENT_BROWSER_ENCRYPTION_KEYenvironment variable.
Audit Metadata