agent-browser
Warn
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill includes an
executefunction that allows for the execution of arbitrary JavaScript code within the browser context, as documented inreferences/commands.mdandSKILL.md. This provides a high-privilege interface for interacting with web applications. - [DATA_EXFILTRATION]: The documentation provides explicit examples of using JavaScript execution to extract sensitive browser data, such as
document.cookieand performance entries, which can contain session tokens (found inreferences/authentication.md). - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it is designed to ingest and process content from untrusted external websites.
- Ingestion points: Data enters the agent's context through the
openandsnapshotfunctions which retrieve page content and element descriptions. - Boundary markers: The provided templates and instructions do not implement boundary markers or instructions to ignore embedded commands in the retrieved web content.
- Capability inventory: The skill possesses powerful capabilities including arbitrary code execution (
execute), file uploading (upload), and programmatic form interaction (fill,click). - Sanitization: There is no evidence of sanitization or filtering of the HTML/text content retrieved from pages before it is presented to the agent.
- [CREDENTIALS_UNSAFE]: The skill's templates (e.g.,
templates/authenticated-session.sh) and documentation (e.g.,references/authentication.md) facilitate the handling of authentication credentials via environment variables and shell scripts. While it follows the best practice of avoiding hardcoded secrets, the orchestration of plaintext credentials through the shell environment remains a security concern if the environment is not properly isolated.
Audit Metadata