Skills
skills/nikhilmaddirala/gtd-cc/web-browser/Gen Agent Trust Hub

web-browser

Warn

Audited by Gen Agent Trust Hub on Mar 2, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The agent-browser tool includes an eval command capable of executing arbitrary JavaScript. This command supports Base64-encoded strings (agent-browser eval -b), which allows for the execution of code that is not immediately human-readable in its encoded form.
  • [REMOTE_CODE_EXECUTION]: The skill's configuration allows the execution of Node.js scripts (node *) via the allowed-tools definition. This provides the agent with the ability to run local scripts with the full capabilities of the Node.js runtime.
  • [COMMAND_EXECUTION]: The skill enables the use of npx playwright and npx agent-browser for browser automation. These tools are capable of complex interactions with both the local host and external networks.
  • [EXTERNAL_DOWNLOADS]: The skill fetches and executes the agent-browser and playwright packages using the npx package runner. Playwright is a well-known industry tool, and agent-browser is a resource provided by the skill author.
  • [DATA_EXFILTRATION]: The skill provides features for managing sensitive authentication data, including the ability to save browser session state (containing cookies and tokens) to local files such as auth-state.json. It also includes templates for using environment variables to handle login credentials. These files represent high-value targets if the system is compromised.
  • [DATA_EXFILTRATION]: The agent-browser tool includes an --allow-file-access flag which enables the browser to open local files via file:// URLs. This feature is intended for processing local HTML or PDF files but could be misused to access sensitive local data.
  • [PROMPT_INJECTION]: The skill has a significant attack surface for indirect prompt injection (Category 8). It retrieves and processes content from untrusted external websites and presents it to the agent. Content on these pages could be designed to influence the agent's behavior and abuse the powerful tools available to the skill.
  • Ingestion points: Web content enters the agent context through agent-browser snapshot, agent-browser get text, and npx playwright screenshot.
  • Boundary markers: The skill does not implement specific delimiters or instructions to distinguish untrusted web content from its own instructions.
  • Capability inventory: The agent has access to local script execution (node), dynamic JavaScript evaluation (eval), and file system operations (session saving and local file access).
  • Sanitization: There is no evidence of validation or filtering of the content extracted from web pages before it is passed to the agent.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 2, 2026, 11:02 AM