browser
Pass
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because its primary function involves navigating to and processing content from untrusted external websites. This content is passed to an LLM for action interpretation and data extraction, which an attacker could exploit by embedding malicious instructions in web pages.\n
- Ingestion points: The
navigate,extract, andobservecommands ingest data from arbitrary URLs (SKILL.md, REFERENCE.md).\n - Boundary markers: No specific delimiters or instructions to ignore embedded prompts are mentioned in the tool's interaction logic or examples.\n
- Capability inventory: The skill uses the
Bashtool and has capabilities for writing to the filesystem (downloads, screenshots) and full network access through the browser.\n - Sanitization: The documentation does not describe any sanitization or filtering of web content before it is processed by the underlying AI model.\n- [COMMAND_EXECUTION]: The skill relies on the
Bashtool to execute its CLI commands (browser), which provides the agent with a mechanism to interact with the host operating system and local file environment.\n- [EXTERNAL_DOWNLOADS]: The browser configuration enables automatic file downloads to a local directory (./agent/downloads/), allowing for the acquisition of remote files which could potentially be malicious (EXAMPLES.md, REFERENCE.md).
Audit Metadata