browser-probe
Fail
Audited by Gen Agent Trust Hub on May 9, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill instructions in 'references/patterns/auth.md' direct the agent to check environment variables such as 'TEST_PASSWORD' and 'CYPRESS_PASSWORD' and explicitly output them to the terminal using the 'echo' command. This practice exposes sensitive credentials in session logs and terminal history.\n- [COMMAND_EXECUTION]: The skill relies on shell scripts to drive the 'agent-browser' tool. It specifically utilizes 'agent-browser eval' to execute dynamic JavaScript within the browser context for data extraction and page interaction, which is a form of dynamic execution.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from external websites (such as link text, headers, and button labels) and uses this data to influence its execution flow.\n
- Ingestion points: Untrusted website content is read via extraction commands in 'references/patterns/auth.md', 'references/patterns/navigation.md', and other pattern files.\n
- Boundary markers: The skill lacks explicit instructions or delimiters to prevent the agent from following malicious instructions that might be embedded in the targeted website's content.\n
- Capability inventory: The agent has extensive capabilities to interact with web applications, including form submission, button clicking, and JavaScript execution via 'agent-browser'.\n
- Sanitization: There is no evidence of sanitization or validation of the data scraped from external sources before it is processed by the agent.
Recommendations
- AI detected serious security threats
Audit Metadata