Skills
skills/ratacat/claude-skills/test-browser/Gen Agent Trust Hub

test-browser

Pass

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [EXTERNAL_DOWNLOADS] (LOW): The skill installs the agent-browser package globally via npm and executes agent-browser install to download Chromium (~160MB).
  • Evidence: npm install -g agent-browser and agent-browser install in SKILL.md.
  • Context: While downloading executables is a high-risk activity, this package is attributed to Vercel, which is a trusted organization in the security policy, downgrading the severity to LOW.
  • [COMMAND_EXECUTION] (SAFE): The skill executes various system commands including git, gh, and npm.
  • Evidence: Uses git diff, gh pr view, and npm install.
  • Context: These commands are essential for the skill's primary purpose of identifying changed files in a PR/branch and testing them, following the intended workflow.
  • [DATA_EXFILTRATION] (SAFE): The skill interacts with localhost:3000 and captures snapshots/screenshots.
  • Evidence: agent-browser open http://localhost:3000 and agent-browser snapshot -i.
  • Context: All network operations are directed at the local development server (whitelisted) or via the GitHub CLI for PR metadata. No data is sent to unknown external domains.
  • [INDIRECT_PROMPT_INJECTION] (LOW): The skill has a surface for indirect prompt injection as it ingests untrusted data from web pages.
  • Ingestion points: Web page content and interactive element metadata retrieved via agent-browser open and agent-browser snapshot -i from localhost:3000.
  • Boundary markers: Absent. The instructions do not specify delimiters to separate page content from the agent's internal logic.
  • Capability inventory: Significant capabilities including npm install, git and gh command execution, and file writing (creating todo files).
  • Sanitization: Absent. The skill does not describe any validation or escaping of the content retrieved from the browser before the agent processes it.
  • Risk: An attacker who can influence the content of the local web application (e.g., via a malicious PR) could embed instructions in the HTML designed to manipulate the agent into executing unintended commands.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 17, 2026, 04:10 PM