Skills
skills/jihe520/social-push/agent-browser/Gen Agent Trust Hub

agent-browser

Warn

Audited by Gen Agent Trust Hub on Mar 8, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill utilizes the agent-browser CLI through shell commands. This enables the agent to perform a wide range of browser actions, providing extensive control over the environment's web interaction capabilities.
  • [REMOTE_CODE_EXECUTION]: The agent-browser eval command permits the execution of arbitrary JavaScript within the browser. This feature, especially when using Base64 encoding or stdin, allows for complex script execution that could be used to bypass security controls or interact with sensitive browser data.
  • [DATA_EXFILTRATION]: When configured with the --allow-file-access flag, the tool can open local files using the file:// protocol. An attacker-controlled website or a compromised agent could use this to read sensitive files (e.g., SSH keys or configuration files) and exfiltrate them via screenshots or text extraction.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. Malicious instructions can be embedded in web pages processed by the agent. While the skill offers AGENT_BROWSER_CONTENT_BOUNDARIES to help distinguish page content from instructions, this feature is opt-in.
  • Ingestion points: Accessibility trees and text extracted from external URLs via snapshot and get text.
  • Boundary markers: Opt-in delimiters provided by the AGENT_BROWSER_CONTENT_BOUNDARIES environment variable.
  • Capability inventory: Full browser interaction, file writing (screenshots and PDFs), and network access.
  • Sanitization: No default sanitization of page-sourced content.
  • [EXTERNAL_DOWNLOADS]: The skill documentation suggests using npx to run the agent-browser tool, which fetches code from the npm registry at runtime. It also lists external dependencies like appium for mobile browser emulation.
  • [CREDENTIALS_UNSAFE]: Templates and documentation demonstrate handling credentials through environment variables and state files. Although an encrypted 'Auth Vault' is available, the persistence of session cookies and localStorage in state files (e.g., auth-state.json) poses a risk of credential theft if the local file system is compromised.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 8, 2026, 04:22 PM