agent-browser
Warn
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill provides an 'eval' command that allows the agent to execute arbitrary JavaScript code within the browser context. While necessary for complex automation, this capability can be abused to perform unauthorized actions or exfiltrate data if the agent's logic is compromised.- [CREDENTIALS_UNSAFE]: The tool supports setting HTTP Basic Authentication credentials and proxy authentication via command-line arguments and environment variables. This practice can expose sensitive secrets in process lists, shell history, and environment dumps. Additionally, session state files containing cookies and tokens are saved locally (e.g., 'auth.json'), which could lead to credential exposure if these files are not managed securely.- [DATA_EXFILTRATION]: The '--allow-file-access' flag enables the browser to open and read local files (e.g., 'file:///path/to/document'). If the agent navigates to a malicious website while this flag is active, or if it is tricked into reading sensitive system files, there is a risk of unauthorized data access and potential exfiltration.- [PROMPT_INJECTION]: The skill is designed to ingest and process data from external websites (via 'snapshot', 'get text'). This creates a surface for Indirect Prompt Injection, where malicious instructions embedded in a website's content could influence the agent's subsequent actions.
- Ingestion points: Website content retrieved via 'agent-browser snapshot', 'agent-browser get text', and 'agent-browser get html'.
- Boundary markers: None identified in the provided templates or instructions.
- Capability inventory: Full browser interaction (click, fill, navigate), arbitrary JavaScript execution ('eval'), file system writing ('screenshot', 'pdf', 'state save'), and network routing control.
- Sanitization: The skill instructions suggest using base64 encoding or stdin for 'eval' to prevent shell corruption, but do not specify sanitization or validation of the web content being processed.- [EXTERNAL_DOWNLOADS]: The documentation mentions requirements for iOS automation which include installing Appium, a well-known mobile automation framework, via the official npm registry.
Audit Metadata