agent-browser
Fail
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Remote Code Execution (HIGH): The SKILL.md file contains a command to install the CLI tool via 'curl -fsSL https://cli.inference.sh | sh'. This method of piping remote code from a non-trusted domain directly into a shell is a major security risk, as the script is not verified and can execute arbitrary code on the user's host machine.
- Dynamic Execution (MEDIUM): The 'execute' function allows the agent to run arbitrary JavaScript within the browser context. While this is a core feature for automation, it can be exploited to bypass security controls or access sensitive data within the browser session if the agent is manipulated.
- Indirect Prompt Injection (LOW): The skill is vulnerable to indirect prompt injection as it ingests untrusted data from web pages.
- Ingestion points: Web page content is retrieved via 'elements_text' and JavaScript execution results in SKILL.md and templates/capture-workflow.sh.
- Boundary markers: No boundary markers or 'ignore' instructions are used when passing web content to the agent.
- Capability inventory: The skill possesses high-impact capabilities including JavaScript execution ('execute'), file uploads ('upload' action), and tool access ('Bash(infsh *)').
- Sanitization: There is no evidence of sanitization or filtering of the content scraped from the web before it reaches the agent's context.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata