agent-browser
Pass
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from external web pages.
- Ingestion points: Web content is fetched and converted into element snapshots or raw text via the
open,snapshot, andexecutefunctions (SKILL.md, references/commands.md). - Boundary markers: No explicit delimiters or instructions are provided to the agent to ignore potentially malicious commands embedded in the web content.
- Capability inventory: The skill allows for significant browser control, including
execute(JavaScript),upload(files), andinteract(clicking, typing) (references/commands.md). - Sanitization: Content from web pages is processed and presented to the agent without specific sanitization or filtering of instructions.
- [COMMAND_EXECUTION]: The
executefunction allows the agent to run arbitrary JavaScript code within the browser context. - Evidence: The documentation provides examples for extracting page data, calculating styles, and manipulating the DOM via the
executefunction (references/commands.md). - Context: While this is a core feature for web automation, it grants the agent high-level control over the browser session.
- [DATA_EXFILTRATION]: The skill provides the ability to extract sensitive browser data such as cookies and session state.
- Evidence: The documentation in
references/authentication.mdexplicitly shows how to use JavaScript to extractdocument.cookieand other resource metadata. - Mitigation: The skill author includes a 'Security Best Practices' section warning against hardcoding credentials and logging sensitive data (references/authentication.md).
Audit Metadata