Skills
skills/hjewkes/agent-skills/agent-browser/Gen Agent Trust Hub

agent-browser

Warn

Audited by Gen Agent Trust Hub on Feb 19, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
  • DATA_EXFILTRATION (HIGH): The skill provides the --allow-file-access flag and supports the file:/// protocol (documented in references/common-patterns.md), enabling the agent to read sensitive local files. Because the tool can also navigate to external URLs and submit form data, it creates a high-risk vector for exfiltrating host data to external servers.
  • COMMAND_EXECUTION (MEDIUM): The eval command (including -b/--base64 and --stdin modes) allows for the execution of arbitrary JavaScript code within the browser context. This bypasses standard tool constraints and allows the agent to execute complex logic that could be manipulated by malicious web content.
  • PROMPT_INJECTION (LOW): This skill is highly vulnerable to Indirect Prompt Injection (Category 8).
  • Ingestion points: agent-browser snapshot, agent-browser get text, and agent-browser screenshot (seen in SKILL.md and capture-workflow.sh).
  • Boundary markers: None; the agent processes raw web content without delimiters or instruction-bypass protection.
  • Capability inventory: Full browser control including eval, fill, and navigation (documented in commands.md).
  • Sanitization: No evidence of sanitization or filtering of external web content.
  • CREDENTIALS_UNSAFE (LOW): While the skill advises using environment variables, the agent-browser state save command persists plain-text session tokens and cookies to the local filesystem (e.g., auth-state.json), which could be exposed if the environment is not strictly isolated.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 19, 2026, 12:26 PM