Skills
skills/inference-sh/agent-skills/agent-browser/Gen Agent Trust Hub

agent-browser

Fail

Audited by Gen Agent Trust Hub on Mar 17, 2026

Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The execute function allows the agent to run arbitrary JavaScript code within the browser context. This capability can be exploited to bypass security controls, manipulate page content, or extract sensitive session-specific data such as cookies, local storage, and authentication tokens.
  • [DATA_EXFILTRATION]: The interact function supports an upload action that accepts local file_paths. This allows an agent to read arbitrary local files and upload them to a remote server, which is a high-risk vector for sensitive data exposure and exfiltration.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it retrieves and processes content from arbitrary external websites. Malicious instructions embedded in a web page's HTML or metadata could hijack the agent's behavior, leveraging its browser automation tools to perform unauthorized actions.
  • Ingestion points: Web page elements and text content retrieved via the open and snapshot functions defined in SKILL.md and references/commands.md.
  • Boundary markers: None identified; the skill does not use delimiters or instructions to separate untrusted web content from system prompts.
  • Capability inventory: Arbitrary JavaScript execution (execute), local file upload (interact), and session state management across functions as described in references/session-management.md.
  • Sanitization: There is no implementation of content filtering or sanitization to prevent the agent from obeying instructions found within the processed web data.
  • [CREDENTIALS_UNSAFE]: The documentation in references/authentication.md and templates/authenticated-session.sh provides patterns for handling user credentials and extracting session cookies. While it suggests using environment variables, the inherent design encourages the agent to manage and potentially expose sensitive authentication information.
  • [EXTERNAL_DOWNLOADS]: The SKILL.md file suggests installing additional vendor tools using npx skills add inference-sh/skills@agent-tools, which involves downloading and executing code from the vendor's repository.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 17, 2026, 06:13 PM