Skills
skills/lowezheng/oh-my-skills/agent-browser/Gen Agent Trust Hub

agent-browser

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION] (HIGH): The skill provides an eval command that allows the agent to execute arbitrary JavaScript within the browser context.
  • Evidence in references/commands.md and references/clickable-detection.md shows usage of eval --stdin and eval -b <base64>.
  • The -b/--base64 flag is explicitly recommended for 'reliable execution,' which can be used to obfuscate malicious scripts from simple keyword filters.
  • [DATA_EXFILTRATION] (HIGH): The tool supports the file:// protocol and has direct file-system interaction capabilities.
  • references/commands.md confirms support for file://, upload, and screenshot --full, which could be used to read local files and capture sensitive data.
  • Combined with network capabilities, an attacker-controlled website could lead an agent to exfiltrate local configuration files or SSH keys.
  • [PROMPT_INJECTION] (HIGH): Category 8: Indirect Prompt Injection. The skill is designed to ingest and interact with arbitrary external web content without any boundary markers or sanitization.
  • Ingestion points: agent-browser open "$TARGET_URL" in templates/capture-workflow.sh and others.
  • Boundary markers: None. No instructions are provided to the agent to ignore embedded instructions in the DOM.
  • Capability inventory: Full interaction suite including click, fill, eval, and state save.
  • Sanitization: None. Data from the browser is passed directly to the agent's context via snapshots and text extraction.
  • [CREDENTIALS_UNSAFE] (MEDIUM): The skill handles sensitive authentication tokens by saving browser state to local JSON files.
  • Evidence in templates/authenticated-session.sh and references/session-management.md shows session tokens/cookies are stored in auth-state.json.
  • While documentation suggests adding these to .gitignore, the risk of accidental exposure or exfiltration via the file:// vulnerability is high.
  • [REMOTE_CODE_EXECUTION] (HIGH): Although not downloading binaries via curl, the eval functionality over untrusted web content effectively allows for Remote Code Execution within the browser's security context, which can then be used to target the agent's session or host via shared resources.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 17, 2026, 02:09 AM