Skills
skills/nottelabs/notte-skills/notte-browser/Gen Agent Trust Hub

notte-browser

Pass

Audited by Gen Agent Trust Hub on May 7, 2026

Risk Level: SAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill grants the agent access to the notte CLI via the Bash tool. This enables full control over browser sessions, agent lifecycle, and credential vault management through shell commands.
  • [REMOTE_CODE_EXECUTION]: The skill facilitates the execution of arbitrary code in two ways: it allows for the execution of arbitrary JavaScript within a browser session via notte page eval-js, and it supports the creation and remote execution of Python-based workflows on the Notte platform using notte functions create and notte functions run.
  • [DATA_EXFILTRATION]: Documentation and templates provided with the skill (e.g., authenticated-session.sh) include functionality to export session cookies to local files (session_cookies.json) for persistence. While a standard feature for automation, these files contain sensitive session data that could be targeted for exfiltration if the local environment is compromised.
  • [CREDENTIALS_UNSAFE]: The CLI commands for managing the Notte 'Vault' accept sensitive inputs such as passwords and MFA secrets as command-line arguments. Although the skill documentation explicitly warns against this practice and recommends using environment variables to prevent leaks in shell history, the capability exists within the tool's interface.
  • [PROMPT_INJECTION]: The skill is inherently exposed to indirect prompt injection because its primary function is to ingest content from arbitrary websites via notte page scrape and notte page observe. Malicious instructions embedded in target web pages could potentially influence the agent's behavior.
  • Ingestion points: Untrusted data enters the agent context through notte page scrape, notte page observe, and notte agents start (documented in SKILL.md and references/session-management.md).
  • Boundary markers: The author provides guidance in 'Security Notes' suggesting the use of narrow instructions, but the tool itself does not programmatically enforce delimiters or sanitization on the scraped content.
  • Capability inventory: The agent possesses the capability to execute shell commands (Bash), perform network operations, and manipulate credential vaults, which could be abused if an injection is successful.
  • Sanitization: There is no evidence of automated sanitization or filtering of the HTML/text content retrieved from web pages before it is passed to the agent.
Audit Metadata
Risk Level
SAFE
Analyzed
May 7, 2026, 09:46 PM