agent-browser
Warn
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- Dynamic Execution (MEDIUM): The 'agent-browser eval' command, documented in 'references/commands.md', permits the execution of arbitrary JavaScript through Base64 or standard input. This capability could be exploited to run malicious scripts if the input source is not strictly controlled.
- Data Exposure (MEDIUM): In 'templates/authenticated-session.sh' and 'references/session-management.md', the skill facilitates saving authenticated session states, including cookies and local storage, to JSON files. Unauthorized access to these files would grant an attacker full session access.
- Indirect Prompt Injection (LOW): By design, the skill processes untrusted content from external websites via 'agent-browser snapshot' and 'get text' (see 'templates/capture-workflow.sh'). (1) Ingestion points: 'agent-browser snapshot' and 'get text' in 'templates/capture-workflow.sh'. (2) Boundary markers: Absent in provided templates. (3) Capability inventory: Commands like 'fill', 'click', 'eval', and 'state save' found across all files. (4) Sanitization: No sanitization is performed on ingested data.
- Safety Bypass (LOW): The 'references/proxy-support.md' documentation describes the '--ignore-https-errors' flag, which allows bypassing SSL/TLS certificate checks, potentially exposing the session to man-in-the-middle attacks.
Audit Metadata