kernel-agent-browser
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (LOW): The guide describes a process for building skills that ingest untrusted data from websites via
agent-browser snapshot. This creates a surface for indirect prompt injection where a malicious website could influence agent behavior. - Ingestion points:
references/create-site-specific-skill.md(Step 2 & 3) describes usingagent-browser snapshotto read page content. - Boundary markers: Absent. The guide does not suggest delimiters or instructions to ignore embedded content.
- Capability inventory: The resulting skills have significant capabilities including
agent-browser(navigation, clicking, filling) and arbitrary JavaScript execution viaeval. - Sanitization: Absent. There is no mention of filtering or sanitizing web-derived data.
- Dynamic Execution (LOW): The guide recommends using
agent-browser -p kernel eval "..."to execute arbitrary JavaScript within the browser context. This is used for 'Handling Tricky Elements' but represents a runtime code execution pattern. - Credential Handling (LOW): The 'Credential Management' section suggests prompting users to store site-specific usernames and passwords in a local configuration file (
AGENTS.md). Storing secrets in plaintext markdown files is a poor security practice that increases the risk of accidental credential exposure.
Audit Metadata