browser-workflow-executor
Pass
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because its core logic is driven by the contents of a local file which may contain untrusted data.
- Ingestion points: Reads instructions from
/workflows/browser-workflows.md. - Boundary markers: Absent; the agent is instructed to methodically execute the steps provided in the file without validation.
- Capability inventory: Full browser automation (
navigate,click,type,screenshot), local filesystem modification via subagents (Read,Glob,Grep, and file writing), shell command execution (npm test), and version control integration (gh pr create). - Sanitization: Absent; there is no escaping or validation of the workflow steps before execution.
- [COMMAND_EXECUTION]: The skill automates the execution of various shell commands through subagents to perform development tasks.
- Evidence: Subagents are directed to run commands such as
npm test,git checkout,git commit, andgh pr createto verify fixes and submit changes. - [REMOTE_CODE_EXECUTION]: The skill performs dynamic code modification and execution of the resulting codebase during its automated remediation phase.
- Evidence: In 'Fix Mode', subagents are tasked with identifying bugs, writing code fixes directly to the project, and executing the updated test suites (including Playwright and Cypress) to verify the results.
Audit Metadata