agent-browser
Pass
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection because it ingests and processes untrusted data from external websites.
- Ingestion points: Data enters the agent's context through
agent-browser open,agent-browser snapshot, andagent-browser get text/html(found inSKILL.md). - Boundary markers: There are no explicit boundary markers or instructions to the agent to disregard commands embedded within the retrieved web content.
- Capability inventory: The skill possesses powerful capabilities including
agent-browser eval(JavaScript execution),agent-browser cookies, andagent-browser state save(session data access). - Sanitization: No sanitization or filtering of the retrieved web content is performed before it is presented to the agent.
- [DATA_EXFILTRATION]: The skill includes built-in commands for accessing sensitive information, such as
agent-browser cookies,agent-browser storage local, andagent-browser state save. While these are functional requirements for a browser tool, they represent a high-risk surface for data exfiltration if the agent's logic is subverted by a malicious webpage. - [COMMAND_EXECUTION]: The
agent-browser evalcommand allows for the execution of arbitrary JavaScript code within the browser's context. This provides a mechanism for an attacker (via indirect injection) to interact with web applications with the user's session privileges.
Audit Metadata