camoufox
Warn
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's installation script
scripts/setup.shusessudoto install system packages such aspython3-venv,python3-full, andxvfb. This behavior requires root access and poses a risk if the script logic is compromised. - [EXTERNAL_DOWNLOADS]: During setup, the skill fetches the
camoufoxlibrary from the Python Package Index (PyPI) and system utilities from official Linux package repositories. These references target well-known and standard software registries. - [PROMPT_INJECTION]: The scripts
scripts/browse.pyandscripts/login_session.pyaccept arbitrary URLs, creating a surface for indirect prompt injection attacks. - Ingestion points: Untrusted data enters the system whenever the browser navigates to an external URL and retrieves page text or screenshots.
- Boundary markers: No delimiters or explicit instructions are provided to the agent to ignore or isolate instructions found within the retrieved web content.
- Capability inventory: The skill enables full browser navigation, page interaction, text extraction, and screenshot capture.
- Sanitization: The page content is extracted using
inner_text('body')and returned to the agent without filtering or sanitizing potential malicious instructions.
Audit Metadata