cmux-browser
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its core function of navigating to and extracting data from arbitrary external websites. An attacker-controlled webpage could embed instructions designed to manipulate the agent's subsequent actions.
- Ingestion points: Browser content is ingested via
cmux browser open <url>andcmux browser <surface> snapshot --interactiveacross multiple files includingSKILL.mdandtemplates/form-automation.sh. - Boundary markers: No explicit boundary markers or instructions to ignore embedded commands are present in the provided interaction templates.
- Capability inventory: The agent has broad capabilities including browser interaction (
click,fill,type), JavaScript execution (eval), and file system writes (state save). - Sanitization: There is no evidence of sanitization or filtering of content extracted from web surfaces before it is processed by the agent.
- [COMMAND_EXECUTION]: The skill exposes the
cmux browser <surface> eval '<js>'command (documented inreferences/commands.md), which allows for the execution of arbitrary JavaScript within the browser's execution context. If the script content is derived from untrusted external data without proper escaping, it could lead to cross-site scripting (XSS) or unauthorized actions within the authenticated session. - [DATA_EXFILTRATION]: The skill facilitates the saving of browser session states, including cookies, localStorage, and authentication tokens, to local JSON files (e.g.,
auth-state.jsonor/tmp/auth-state.json). While documentation inreferences/authentication.mdandreferences/session-management.mdwarns against committing these files, their existence on the local filesystem represents a data exposure risk if the environment is shared or compromised.
Audit Metadata