reserve-with-google
Pass
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the
agent-browserCLI tool to perform web automation. It includes Bash scripts such assearch-and-book.shandsearch-places.shthat execute browser commands with parameters derived from user input (name, phone, query). These operations are consistent with the skill's primary purpose of making reservations. - [EXTERNAL_DOWNLOADS]: The skill interacts with several external, well-known services including Google Maps, OpenTable, Resy, Vagaro, Yelp, and Toast. These interactions are documented and necessary for the reservation flow. The dependency on
agent-browsertargets a repository managed by Vercel Labs, which is a trusted organization. - [PROMPT_INJECTION]: The skill possesses an attack surface for indirect prompt injection because it processes content from external websites.
- Ingestion points: Data is ingested via
agent-browser snapshotacross various steps inSKILL.mdandscripts/search-and-book.sh. - Boundary markers: Absent; the skill does not use specific delimiters or instructions to ignore embedded commands in the website snapshots.
- Capability inventory: The skill utilizes
agent-browserfor navigation, form filling, and capturing snapshots, which requires active internet access and shell execution capabilities. - Sanitization: No visible sanitization is applied to the content retrieved from websites before it is presented to the agent for parsing.
- [CREDENTIALS_UNSAFE]: The skill facilitates the use of a persistent browser profile located at
~/.reservegoogleto store authentication states for Google accounts. It also supports proxy authentication via theAGENT_BROWSER_PROXYenvironment variable, which may contain plaintext credentials. This is standard functionality for automated booking tools but requires users to manage their environment securely.
Audit Metadata