agent-browser
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is entirely based on executing the
agent-browsercommand-line interface to perform system-level browser automation, including navigating to URLs, taking screenshots, and interacting with page elements. - [DATA_EXFILTRATION]: The tool includes commands to access sensitive browser session data, such as
agent-browser cookiesandagent-browser storage local. While these are functional requirements for testing and automation, they could be leveraged to extract authentication tokens or session information if used maliciously. - [REMOTE_CODE_EXECUTION]: The
agent-browser evalandagent-browser wait --fncommands allow for the execution of arbitrary JavaScript code within the browser context. This provides a mechanism for dynamic code execution on any website the agent visits. - [PROMPT_INJECTION]: As a tool that ingests and processes content from external websites via
agent-browser snapshotandgetcommands, it is susceptible to indirect prompt injection. - Ingestion points: Untrusted data enters the agent context through page snapshots and text extraction in
SKILL.md. - Boundary markers: There are no explicit instructions or delimiters mentioned to prevent the agent from following instructions embedded within the processed web content.
- Capability inventory: The tool possesses high-privilege capabilities including form filling (
fill), file uploads (upload), JavaScript execution (eval), and session data access (cookies). - Sanitization: The skill documentation does not outline any sanitization or filtering of the extracted web content before it is processed by the agent.
Audit Metadata