agent-browser
Fail
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The installation instructions in
SKILL.mdpromote the execution of a remote script using thecurl -fsSL https://cli.inference.sh | shpattern. This is a high-risk practice as it executes unverified code from an external server directly in the user's shell. - REMOTE_CODE_EXECUTION (HIGH): The skill relies on a remote CLI tool (
infsh) installed via an unverified script. Since the sourceinference.shis not a recognized trusted entity, this constitutes remote code execution from an untrusted source. - COMMAND_EXECUTION (MEDIUM): The skill includes an
executefunction that allows the agent to run arbitrary JavaScript code on any webpage. While this is a functional requirement for advanced automation, it represents a powerful capability for dynamic code execution that could be abused if the agent is manipulated. - PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8) due to its core function of processing untrusted web content.
- Ingestion points: Untrusted data enters the agent context through the
open,snapshot, andexecutefunctions which read live website data. - Boundary markers: Absent. The skill does not provide markers or system instructions to the agent to ignore instructions embedded within the websites it visits.
- Capability inventory: The skill allows subprocess calls (
infsh), file uploads, and arbitrary JavaScript execution, providing a high-impact set of tools for an injector to target. - Sanitization: No sanitization or filtering of website content is performed before the data is presented to the agent.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata