browser
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes content from external, untrusted websites via the
snapshotandnavigateactions. Maliciously crafted web pages could contain instructions intended to override the agent's behavior. - Ingestion points: Web content is retrieved through
navigate,snapshot, andscreenshotactions. - Boundary markers: The skill includes a security warning labeling the content as untrusted (
content_trusted: false) and instructing the agent to treat it as data only. - Capability inventory: The agent has the ability to navigate to arbitrary URLs and perform interactions like clicking, typing, and submitting forms.
- Sanitization: No programmatic sanitization of the scraped text is described; the skill relies on the agent following the provided security guidelines.
- [DATA_EXFILTRATION]: The
navigateandfill/typeactions can be used to send information to any URL. An agent could potentially be manipulated into visiting an attacker-controlled domain and transmitting sensitive data via URL parameters or form submissions. - [CREDENTIALS_UNSAFE]: The skill explicitly supports persisting login sessions by saving cookies and localStorage to a dedicated profile directory. This results in sensitive authentication tokens being stored on the local filesystem, which poses a risk if the storage environment is accessed by unauthorized parties.
- [EXTERNAL_DOWNLOADS]: The skill identifies
playwrightas a required Python dependency. Additionally, the documentation notes that browser binaries must be installed from external sources using theplaywright install chromiumcommand. - [COMMAND_EXECUTION]: The skill uses the Playwright library to manage and execute browser processes (Chromium) to perform automation tasks.
Audit Metadata