agent-browser
Pass
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the
infsh(inference.sh) CLI to manage browser sessions and perform automation tasks. - [REMOTE_CODE_EXECUTION]: The
executefunction allows the agent to run arbitrary JavaScript code within the browser context, which is a powerful capability that could be misused if the agent is influenced by malicious input. - [DATA_EXFILTRATION]: The skill provides tools for extracting browser cookies and uploading local files to remote websites, creating a pathway for potential exfiltration of sensitive information.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted content from the web.
- Ingestion points: Untrusted data from web pages is brought into the agent's context through the
open,snapshot, andexecutefunctions (documented in SKILL.md and references/commands.md). - Boundary markers: The skill does not implement boundary markers or instructions for the agent to ignore embedded commands within the scraped web content.
- Capability inventory: The skill possesses capabilities for arbitrary JavaScript execution, file uploads, and media capture (screenshots/video), which could be leveraged by an indirect injection attack.
- Sanitization: There is no evidence of sanitization or filtering of the HTML or text content retrieved from websites before it is provided to the agent.
Audit Metadata