agent-browser
Pass
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (LOW): Indirect Prompt Injection Surface (Category 8).
- Ingestion points: Untrusted data enters the agent context through
agent-browser snapshot,agent-browser get text,agent-browser get title, andagent-browser get urlintemplates/capture-workflow.sh,templates/form-automation.sh,templates/authenticated-session.sh, andreferences/authentication.md. - Boundary markers: Absent across all provided templates and reference files. There are no delimiters or instructions provided to the agent to treat scraped web content as untrusted.
- Capability inventory: Significant capabilities are present across the skill scripts, including network navigation (
agent-browser open), form interaction (agent-browser fill,agent-browser click), file-system operations (agent-browser state save,agent-browser screenshot,agent-browser pdfintemplates/capture-workflow.sh), and file interaction (agent-browser uploadintemplates/form-automation.sh). - Sanitization: Absent. No evidence of escaping, validation, or filtering of content retrieved from the browser before it is processed by the agent.
- [CREDENTIALS_UNSAFE] (SAFE): No hardcoded credentials were detected. The skill properly advises using environment variables for sensitive data and recommends excluding session state files from version control using .gitignore in
references/authentication.mdandreferences/session-management.md.
Audit Metadata