browser-control
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). Because it is designed to operate on authenticated sites (Marriott, Alaska Airlines, Reddit), a malicious website visited by the agent could embed instructions that the agent then follows using the
interact.jsornavigate.jstools. This could result in unauthorized transfers of points, data theft, or account modification. - [CREDENTIALS_UNSAFE] (HIGH): The architecture relies on a persistent browser profile (
~/.brave-geoffrey) containing saved logins for highly sensitive travel and social media accounts. The skill provides direct tools to extract data from these authenticated sessions and interact with them, effectively turning the agent into a remote-control interface for the user's identities. - [COMMAND_EXECUTION] (MEDIUM):
launch-chrome.shexecutes a specific browser binary and explicitly claims to "bypass district MDM" (Mobile Device Management). This indicates an intent to circumvent organizational security policies. - [DATA_EXFILTRATION] (MEDIUM): While no hardcoded exfiltration URL is present, the combination of
extract.js(reading PII/Points/Session data) and the agent's general ability to use tools likecurlorBashcreates a clear path for data exfiltration if the agent is compromised via prompt injection.
Recommendations
- AI detected serious security threats
Audit Metadata