agent-browser
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFECREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE] (LOW): The templates and documentation demonstrate patterns for handling credentials, including environment variables and example hardcoded strings (e.g., 'password123' in references/authentication.md). Additionally, the tool saves full session state (cookies and tokens) to local files like 'auth-state.json'. While these are intended functionalities for session persistence, they represent a data exposure risk if files are not secured or are accidentally committed to version control.
- [PROMPT_INJECTION] (LOW): The skill facilitates interaction with untrusted external web content, creating a surface for Indirect Prompt Injection (Category 8).
- Ingestion points: Web page content is ingested via 'agent-browser snapshot -i' and 'agent-browser get text body' in templates/capture-workflow.sh and templates/form-automation.sh.
- Boundary markers: No explicit delimiters or instructions are provided in the templates to help the agent distinguish between system instructions and untrusted data from the browser.
- Capability inventory: The skill possesses extensive capabilities including 'click', 'fill', 'upload', 'state save', and 'screenshot' across all provided scripts.
- Sanitization: There is no evidence of sanitization or validation of the external content before it is processed by the agent.
Audit Metadata