agent-browser
Fail
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The documentation instructs users to install the CLI tool using
curl -fsSL https://cli.inference.sh | sh, which is a pattern that downloads and executes an unverified script from a remote source. Additionally, theexecutefunction allows running arbitrary JavaScript code within the browser context. - [COMMAND_EXECUTION]: The skill is configured with
allowed-tools: Bash(infsh *), allowing the agent to execute shell commands via theinfshCLI utility. - [EXTERNAL_DOWNLOADS]: The installation process downloads compiled binaries from
dist.inference.sh, which is not a verified trusted source. - [DATA_EXFILTRATION]: The
uploadaction in theinteractfunction allows the agent to send local files to the remote browser session. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted web content.
- Ingestion points: Web page DOM, text content, and metadata are ingested via the
openandsnapshotfunctions as described inSKILL.md. - Boundary markers: No specific delimiters or instructions are provided to the agent to differentiate between untrusted browser content and its core instructions.
- Capability inventory: The skill possesses high-privilege capabilities including shell command execution (
infsh), arbitrary JavaScript execution (execute), and file uploads. - Sanitization: There is no evidence of sanitization or filtering of the content retrieved from external websites before it is processed by the agent.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.inference.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata