browser
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests and processes untrusted data from web pages. \n
- Ingestion points: Untrusted data enters the agent context through web page content retrieved via
agent-browser open,snapshot, andget textcommands inSKILL.md. \n - Boundary markers: There are no boundary markers or instructions to isolate web content or prevent the agent from following embedded instructions found on pages. \n
- Capability inventory: The skill has extensive capabilities including clicking, form filling, navigation, and interacting with a memory CLI, which could be abused if an injection occurs. \n
- Sanitization: No sanitization or filtering of the external web content is performed. \n- [REMOTE_CODE_EXECUTION]: The skill uses
npxto download and execute code from a remote registry at runtime. \n - Evidence: The command
npx @claude-flow/clifetches and runs executable code from the npm registry. \n- [COMMAND_EXECUTION]: The skill relies on executing external CLI commands to perform its core functions. \n - Evidence: Uses
agent-browserfor all navigation and interaction tasks. \n - Evidence: Uses
npx @claude-flow/clito interact with memory and execution hooks. \n- [EXTERNAL_DOWNLOADS]: The skill initiates downloads of external packages during its operation. \n - Evidence: The use of
npxtriggers the download of the@claude-flow/clipackage from the public npm registry. \n- [DATA_EXFILTRATION]: The skill accesses and manages sensitive browser session data stored in local files. \n - Evidence: Includes commands to save and load session state using
auth.json, which contains sensitive authentication tokens or cookies.
Audit Metadata