agent-browser
Pass
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted data from the web.
- Ingestion points: Untrusted data enters the agent's context through web page navigation and snapshots via commands like
agent-browser openandagent-browser snapshotinSKILL.md. - Boundary markers: The documentation recommends using the
--content-boundariesflag to wrap page output in nonces, but this is an optional, opt-in feature. - Capability inventory: The skill provides high-impact tools including
click,fill,eval(JavaScript execution), andallow-file-access(local file reading) which could be manipulated by malicious content on a processed web page. - Sanitization: Beyond the recommended boundary markers, no specific sanitization or filtering of web-sourced content is described.
- [COMMAND_EXECUTION]: The skill uses the
agent-browserCLI tool for all operations, which allows for the execution of arbitrary JavaScript within the browser context via theevalcommand. This is a core feature of the tool but adds to the potential attack surface. - [DATA_EXFILTRATION]: The tool includes an
--allow-file-accessflag that enables the browser to read local files. This capability, combined with the browser's ability to navigate to external URLs and perform interactions like form submissions, creates a potential vector for exfiltrating sensitive local data if an agent is influenced by a malicious website. - [EXTERNAL_DOWNLOADS]: The documentation mentions installing the
appiumpackage and its drivers vianpmto support iOS mobile browser automation. These are standard dependencies for the tool's mobile-specific functionality and are used as intended for the primary skill purpose.
Audit Metadata