browser
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill provides tools to read full page content (
alma browser read) and take screenshots (alma browser screenshot) of the user's active browser tabs. As the skill explicitly targets 'existing sessions, cookies, and logins', this presents a significant risk of exposing sensitive data from authenticated web applications (e.g., email, banking, or internal corporate tools). - [REMOTE_CODE_EXECUTION]: The
alma browser eval <tabId> <code>command allows the execution of arbitrary JavaScript within the context of a browser tab. This is a high-privilege capability that could be used to manipulate page logic, bypass security controls, or programmatically exfiltrate data from the DOM. - [COMMAND_EXECUTION]: All browser operations are performed via
alma browserCLI commands executed through theBashtool. This gives the agent direct control over a local browser automation utility. - [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection. By design, it ingests untrusted data from the web which can then influence the agent's behavior.
- Ingestion points: Web content is ingested into the agent's context via
alma browser readandalma browser read-dominSKILL.md. - Boundary markers: The instructions do not define delimiters or system-level warnings to distinguish between page content and agent instructions.
- Capability inventory: The agent has extensive capabilities to act on the browser, including navigation, form submission, and arbitrary JavaScript execution via
Bash. - Sanitization: There is no evidence of sanitization or filtering of the content retrieved from web pages before it is processed by the agent.
Audit Metadata