agent-browser
Pass
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (LOW): The skill is susceptible to indirect prompt injection due to its core function of ingesting and acting upon content from external websites. • Ingestion points: Ingestion occurs through commands like 'agent-browser open' and 'agent-browser get text' in 'templates/capture-workflow.sh'. • Boundary markers: No specific boundary markers are provided to the agent to distinguish between its own instructions and content fetched from the web. • Capability inventory: The agent has access to sensitive capabilities such as 'click', 'fill', and 'eval' which can be abused if the agent follows instructions embedded in a malicious webpage. • Sanitization: No sanitization of external web content is implemented in the templates.
- [COMMAND_EXECUTION] (LOW): The 'agent-browser eval' command, as documented in 'references/commands.md', allows for the execution of arbitrary JavaScript. Although intended for legitimate DOM manipulation, this feature represents a vector for dynamic execution if the agent is directed to process untrusted strings.
Audit Metadata