agent-browser
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's templates and documentation rely on executing the 'infsh' CLI tool to manage browser sessions and perform actions. It also uses standard utilities like 'jq', 'grep', and 'ls' within its shell scripts as seen in 'templates/capture-workflow.sh'.\n- [REMOTE_CODE_EXECUTION]: The skill provides an 'execute' function that allows the agent to run arbitrary JavaScript code within the context of the browser. This is a core feature for advanced web scraping and interaction but allows for the execution of logic on the target page as defined in 'references/commands.md'.\n- [DATA_EXFILTRATION]: Documentation in 'references/authentication.md' provides examples for extracting browser cookies and session data using the 'execute' function (e.g., 'document.cookie'). This capability is intended for session persistence but could be used to extract sensitive authentication tokens.\n- [PROMPT_INJECTION]: As a web browsing tool, it is inherently susceptible to indirect prompt injection where malicious instructions on web pages influence the agent. Evidence chain:\n
- Ingestion points: The 'open', 'snapshot', and 'execute' functions ingest data from arbitrary URLs as described in 'SKILL.md' and 'templates/capture-workflow.sh'.\n
- Boundary markers: No specific boundary markers or warnings to ignore embedded instructions are implemented in the tool's usage examples.\n
- Capability inventory: The skill can execute shell commands via 'infsh' and run JavaScript within the browser context.\n
- Sanitization: There is no evidence of automated sanitization or filtering of the extracted page content before it is returned to the agent.
Audit Metadata