browser
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The skill documentation encourages the use of Python heredocs (
uv run python <<'EOF') for advanced automation and scraping tasks. This pattern allows the agent to generate and execute arbitrary Python scripts on the host machine, which could be exploited to run malicious code if the agent's instructions are influenced by untrusted content. - DATA_EXFILTRATION (MEDIUM): The guide in
refs/scraping.mdexplicitly instructs the agent on how to interceptrequest.headers(which typically include sensitive session cookies and Bearer tokens) and save them to local JSON files (tmp/request-details.json). This behavior facilitates the exposure of credentials, especially if the agent is directed to interact with an authenticated session on a sensitive site. - PROMPT_INJECTION (LOW): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) due to its core function of navigating to and reading arbitrary web pages. Malicious websites could contain hidden instructions designed to hijack the agent's browser session or exploit its host-level execution capabilities.
- Ingestion points: Untrusted data enters the agent context via
snapshot(ARIA tree),textcontent extraction, andpage.on("response")listeners. - Boundary markers: The instructions do not provide delimiters or specific warnings to the agent to ignore instructions embedded within the retrieved web content.
- Capability inventory: The skill possesses the ability to write to the filesystem and execute arbitrary Python code via the
uv runheredoc mechanism. - Sanitization: There is no evidence of sanitization or filtering of external web content before it is processed by the agent or used in subsequent commands.
Audit Metadata