kernel-browser-management
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- Remote Code Execution (LOW): The skill exposes the
kernel browsers playwright executecommand and thekernel:execute_playwright_codetool. This allows the agent to run arbitrary Playwright/TypeScript code. This is classified as LOW because the execution occurs within a sandboxed cloud browser instance rather than on the host machine, and it is the central intended feature of the browser-management skill. - Command Execution (LOW): The skill relies on the
kernelCLI for all operations. This requires the execution of shell commands (e.g.,kernel browsers create,kernel browsers delete) to manage the infrastructure. This is standard behavior for a CLI-based management skill. - Indirect Prompt Injection (LOW):
- Ingestion points: Browser sessions navigate to untrusted external websites via the
page.gotofunction within Playwright scripts. - Boundary markers: No explicit markers or instructions are provided to the agent to distinguish between its system instructions and content found on the web pages it visits.
- Capability inventory: The skill allows for browser creation, deletion, arbitrary code execution in the browser, and taking screenshots.
- Sanitization: There is no evidence of sanitization or filtering of the content retrieved from the browser before it is returned to the agent's context.
Audit Metadata