agent-browser
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill possesses a high-risk attack surface due to its ability to process untrusted web content and perform sensitive actions.
- Ingestion points: Any URL opened via 'open' or content analyzed via 'snapshot' and 'get text'.
- Boundary markers: None identified; the agent processes raw DOM/text data.
- Capability inventory: Browser interaction (click, fill, type), navigation, and file system operations (screenshot, state save/load).
- Sanitization: No sanitization or filtering of malicious instructional content within web pages is described.
- [Data Exfiltration] (HIGH): The 'state save' and 'state load' commands facilitate the movement of sensitive session data (cookies, local storage) to the file system. A malicious site could trick the agent into saving this data to a known path for later retrieval or direct exfiltration.
- [Command Execution] (MEDIUM): The tool enables the agent to execute complex browser sequences. If the agent's reasoning is compromised by on-page content, these commands can be used to perform 'Clickjacking' or automated form submission on authenticated sites.
Recommendations
- AI detected serious security threats
Audit Metadata