browserforce
Warn
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [DATA_EXFILTRATION]: The skill is designed to access the user's real browser session, specifically mentioning 'real cookies' and 'logged-in sessions'. This provides an avenue for the agent to access and potentially extract session tokens, personal identification, and private data from any website where the user is authenticated (e.g., email, banking, or cloud services).
- [COMMAND_EXECUTION]: The skill utilizes the
browserforceCLI tool to interact with the system. It enables the execution of commands likebrowserforce tabs,browserforce snapshot, andbrowserforce screenshot, which provide high-fidelity observation of the user's local computing environment. - [REMOTE_CODE_EXECUTION]: The skill utilizes the
browserforce -eflag to execute arbitrary Playwright JavaScript code. This dynamic execution allows the agent to generate and run scripts that can manipulate web pages, fill forms, and interact with the DOM in the user's authenticated context. - [EXTERNAL_DOWNLOADS]: The skill metadata specifies the installation of the
browserforcepackage from the Node package registry (NPM). - [PROMPT_INJECTION]: As the skill is designed to read and process content from external websites (via
snapshot()andevaluate()), it is inherently susceptible to indirect prompt injection where malicious instructions embedded in web pages could influence the agent's behavior. Evidence: - Ingestion points: Web content is ingested via
browserforce snapshotandbrowserforce -e "return await snapshot()". - Boundary markers: None identified in the provided instructions to separate web data from agent instructions.
- Capability inventory: The skill has the capability to navigate, click, fill forms, and execute arbitrary JS via the
browserforcetool. - Sanitization: No explicit sanitization of web content is mentioned before the data is processed by the agent.
Audit Metadata