agent-browser
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: All browser interactions are performed by executing the
agent-browserCLI tool through Bash, which is the primary mechanism of the skill. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it extracts text and interactive elements from external websites and presents them to the LLM without sanitization.
- Ingestion points: Untrusted content is ingested from the web using
agent-browser open,snapshot, andget textcommands inSKILL.mdandtemplates/capture-workflow.sh. - Boundary markers: There are no boundary markers or explicit system instructions to ignore instructions embedded in the extracted web content.
- Capability inventory: The skill possesses powerful capabilities including form filling (
fill), clicking (click), file uploads (upload), and arbitrary JavaScript execution viaagent-browser eval. - Sanitization: No sanitization, validation, or filtering is performed on the data retrieved from external sources before it enters the agent context.
Audit Metadata