agent-browser-aircall-local
Pass
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: SAFECOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the
agent-browserCLI tool andfishshell to perform automation. It constructs shell commands using variables like<PORT>,<TOKEN>, and<TARGET_PATH>. If these inputs are not strictly validated by the calling agent, they could potentially lead to command injection. - [CREDENTIALS_UNSAFE]: The workflow retrieves a staging JWT token and passes it directly as a query parameter in a shell command (
agent-browser ... open "...token=<TOKEN>..."). Passing sensitive credentials in command-line arguments is risky as they can be captured in shell history or viewed in process lists. Additionally, tokens in URLs may be stored in local server logs. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes content from local web pages.
- Ingestion points: Browser snapshots retrieved via
agent-browser snapshot -i(SKILL.md). - Boundary markers: None present; data from the browser is provided directly to the agent context.
- Capability inventory: Shell execution for browser navigation, element interaction (click/fill), and screenshot capture (SKILL.md).
- Sanitization: No sanitization or filtering of the interactive element text or page content is mentioned.
Audit Metadata