agent-browser
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill's primary function is to process untrusted external content from the web via
agent-browser open <url>. It lacks any boundary markers or sanitization instructions to prevent the agent from obeying instructions embedded in the web pages it visits. - Ingestion points:
agent-browser open,agent-browser snapshot,agent-browser get text/html. - Boundary markers: Absent.
- Capability inventory:
eval,fill,click,upload,cookies,storage local set,state save. - Sanitization: Absent.
- [Data Exfiltration] (HIGH): The skill provides direct commands to extract highly sensitive data:
agent-browser cookies(session tokens),agent-browser storage local(app state/tokens), andagent-browser state save(full browser profile). A compromised agent or an injection attack could use these to steal user sessions. - [Remote Code Execution] (HIGH): The
agent-browser evalcommand allows execution of arbitrary JavaScript. If the agent is tricked into running JS provided by a malicious website (e.g., via a prompt injection telling the agent 'run this eval to fix the page'), it leads to full browser-context code execution. - [Command Execution] (HIGH): Access to the filesystem is provided via
screenshot <path>,pdf <path>,trace stop <path>, andupload <path>. An agent could be manipulated into uploading sensitive local files (like~/.ssh/id_rsa) to a remote form or saving malicious payloads to the disk. - [Credential Exposure] (MEDIUM): The
agent-browser set credentialscommand facilitates passing plaintext credentials to the browser, which may be logged or captured if the agent's environment is not strictly controlled.
Recommendations
- AI detected serious security threats
Audit Metadata