Skills
skills/masslab-sii/open-agent-skills/shopping-browser-automation/Gen Agent Trust Hub

shopping-browser-automation

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION] (HIGH): The scripts browser_server.py and run_browser_ops.py utilize eval() and exec() to process input strings as Python code. The BrowserServer executes commands received via a Unix socket (/tmp/browser_server.sock), which allows any local process or a successfully injected prompt to execute arbitrary code within the server's context.
  • [COMMAND_EXECUTION] (HIGH): The run_browser_ops.py utility allows for the execution of arbitrary browser operation snippets provided via command-line arguments. This design lacks proper parameterization and exposes the host to command injection risks if the agent generates commands based on untrusted external data.
  • [DATA_EXFILTRATION] (MEDIUM): The fill_shipping_info.py script handles sensitive Personally Identifiable Information (PII) including email addresses, physical addresses, and phone numbers. While necessary for the shopping use case, the lack of site validation or domain whitelisting creates a risk that this data could be exfiltrated to malicious checkout pages.
  • [PROMPT_INJECTION] (LOW): The skill is vulnerable to Indirect Prompt Injection due to its interaction with untrusted web content.
  • Ingestion points: Data enters the agent context via browser.snapshot(), get_console_messages(), and get_network_requests() in browser_client.py.
  • Boundary markers: No boundary markers or instructions to ignore embedded commands are present in the scripts or the SKILL.md instructions.
  • Capability inventory: The skill possesses high-impact capabilities including arbitrary browser interaction (click, type_text, fill_form) and the execution of dynamically generated Python code via the browser server.
  • Sanitization: There is no evidence of sanitization or filtering of the DOM content or console logs retrieved from external websites before they are processed by the agent.
  • [EXTERNAL_DOWNLOADS] (LOW): Automated scanners flagged the URL browser.se as malicious. While this URL is not explicitly hardcoded in the provided files, the skill is designed to navigate the browser to arbitrary external URLs, which is an inherent risk of automated browser tools.
Recommendations
  • AI detected serious security threats
  • Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 17, 2026, 06:38 PM