browser
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill documentation (SKILL.md and refs/scraping.md) repeatedly instructs the agent to execute arbitrary Python code using heredocs (e.g., 'uv run python <<EOF'). This allows the agent to dynamically generate and run scripts in its local environment, which could be exploited to perform unauthorized host-level actions if the agent is misled.
- [DATA_EXFILTRATION] (MEDIUM): The 'Data Scraping Guide' provides explicit code and patterns for intercepting network requests and capturing headers. Since these headers often contain session cookies or bearer tokens, this functionality facilitates the theft of sensitive credentials if the agent is directed to a malicious or sensitive site.
- [PROMPT_INJECTION] (LOW): The skill is inherently vulnerable to indirect prompt injection as it ingests untrusted data from the web. 1. Ingestion points: browser commands such as 'snapshot', 'text', and 'evaluate' in client.py. 2. Boundary markers: None; there are no instructions to use delimiters or ignore embedded instructions in scraped data. 3. Capability inventory: Subprocess execution via 'uv run', file writing (results.json), and network requests via the browser. 4. Sanitization: No evidence of sanitization or content validation for data retrieved from the browser context.
- [COMMAND_EXECUTION] (LOW): The skill utilizes 'page.evaluate()' to run arbitrary JavaScript within the browser context. While standard for Playwright, it presents a risk if the agent is directed to execute logic derived from untrusted web sources.
Audit Metadata