Browser Daemon
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- REMOTE_CODE_EXECUTION (HIGH): The daemon (
browser-daemon.js) executes arbitrary JavaScript strings provided via theexeccommand usingpage.evaluate(). This provides a high-privilege execution environment within the browser that can be leveraged to access sensitive data or perform unauthorized actions. - COMMAND_EXECUTION (HIGH): The skill uses an insecure file-based IPC mechanism using the file
.browser-command. Any process on the local system with write access to the skill's directory can write to this file and control the browser daemon, leading to potential session hijacking or local privilege escalation. - DATA_EXFILTRATION (MEDIUM): The automation capabilities allow the browser to access local files (via
file://URLs) and internal network resources. Results from these actions can be read viaexecorconsolecommands and returned to the agent, posing a risk of sensitive data exposure. - PROMPT_INJECTION (LOW): The skill possesses a significant indirect prompt injection surface by ingesting untrusted data from websites (console logs, page titles) and passing it to the agent without sanitization. (1) Ingestion points: Console logs and page metadata in
browser-daemon.js. (2) Boundary markers: None; browser output is not delimited or sanitized. (3) Capability inventory: Arbitrary JS execution (exec), navigation, and content inspection. (4) Sanitization: No escaping or validation is performed on data retrieved from the browser context.
Recommendations
- AI detected serious security threats
Audit Metadata