reddit-browser-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFECOMMAND_EXECUTION
Full Analysis
- REMOTE_CODE_EXECUTION (CRITICAL): Located in
scripts/browser_server.py. The server listens on a world-writable Unix socket (/tmp/browser_server.sock) and passes input directly toeval()andexec()functions within theexecute_commandmethod. This allows any process or local user to execute arbitrary Python code with the privileges of the server process. - PROMPT_INJECTION (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: Untrusted web content is brought into the agent's context via the
snapshot()method inscripts/browser_client.py. - Boundary markers: No delimiters or instructions are present to prevent the agent from obeying instructions embedded in the captured web data.
- Capability inventory: The skill provides extensive write and interaction capabilities, including
click,type_text,fill_form, andpress_key, allowing an attacker to perform actions on behalf of the user. - Sanitization: No content sanitization or validation is performed on the data retrieved from the browser.
- CREDENTIALS_UNSAFE (HIGH): The
scripts/sign_up.pyscript accepts passwords as plain-text command-line arguments, exposing sensitive credentials to system logs, process lists, and shell history. - COMMAND_EXECUTION (CRITICAL): The
scripts/run_browser_ops.pyutility provides a CLI interface for executing arbitrary Python strings througheval()andexec(), which can be abused to run malicious commands on the host system.
Recommendations
- AI detected serious security threats
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata