agent-browser
Warn
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill provides a CLI for controlling a browser, allowing for complex sequences of web interactions.
- [REMOTE_CODE_EXECUTION]: The 'eval' command enables execution of arbitrary JavaScript within the browser context. It supports Base64-encoded input, which can be used to obfuscate scripts.
- [PROMPT_INJECTION]: The skill has a significant attack surface for indirect prompt injection. 1. Ingestion points: Data is ingested from external websites via 'snapshot' and 'get text' (documented in SKILL.md). 2. Boundary markers: Offers an opt-in '--content-boundaries' flag to isolate tool output. 3. Capability inventory: Significant write and execute capabilities including 'click', 'fill', 'eval', and 'network route'. 4. Sanitization: No default sanitization of ingested content before presenting to the agent.
- [DATA_EXFILTRATION]: Injected instructions could potentially use the browser or local file access to exfiltrate session data or stored authentication tokens.
- [EXTERNAL_DOWNLOADS]: The skill suggests using 'npx agent-browser' which involves downloading the tool at runtime from the NPM registry.
Audit Metadata