agent-browser
Pass
Audited by Gen Agent Trust Hub on Apr 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the
evalcommand to execute arbitrary JavaScript within the browser context for tasks like DOM manipulation and data extraction. This is a core feature but constitutes remote code execution within the browser environment. - [DATA_EXFILTRATION]: The CLI supports the
file://protocol, allowing agents to open and read local files (e.g., PDFs or HTML). This capability could be exploited by malicious web content or prompts to exfiltrate local data to external domains. - [CREDENTIALS_UNSAFE]: The skill includes functionality to save and load browser session states (cookies, localStorage) to local JSON files (
auth.json). These files contain session tokens in plaintext, though the documentation recommends using encryption keys and.gitignorefor safety. - [PROMPT_INJECTION]: The skill is inherently susceptible to indirect prompt injection (Category 8) because it processes untrusted content from the web which could contain hidden instructions targeting the agent.
- Ingestion points: Content is ingested through
snapshot,get text, andscreenshotoperations across multiple files (e.g.,SKILL.md,references/commands.md). - Boundary markers: The skill supports a
--content-boundariesflag which wraps page content in nonce-based delimiters to help the LLM distinguish between tool output and page content. - Capability inventory: The skill can perform network navigation, execute browser-side JavaScript (
eval), write files (screenshot,pdf), and manage session states. - Sanitization: It provides security policies for domain allowlisting and action restrictions to mitigate risks.
- [EXTERNAL_DOWNLOADS]: Documentation encourages installing the
agent-browserpackage from public registries such as NPM, Homebrew, or Cargo.
Audit Metadata