browser-automation
Pass
Audited by Gen Agent Trust Hub on Mar 26, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it is designed to ingest and process data from external, untrusted websites.\n
- Ingestion points: The agent utilizes
browser_read_pageto read content from arbitrary URLs as specified inSKILL.mdandHAND.toml.\n - Boundary markers: The instructions lack explicit delimiters or guidance for the agent to distinguish between its system instructions and potentially malicious content embedded in the web pages it visits.\n
- Capability inventory: The agent's toolset in
HAND.tomlincludesbrowser_click,browser_type,browser_navigate,file_write, andfile_read, which could be targeted by an injection attack.\n - Sanitization: There is no defined process for sanitizing or validating ingested web content before it is provided to the agent for processing.\n- [COMMAND_EXECUTION]: The
HAND.tomlconfiguration specifies shell commands for installing necessary dependencies like Python 3 and Chromium across various platforms.\n - Evidence: The file includes standard package management commands such as
brew install python3,sudo apt install chromium-browser, andwinget install Google.Chrometo facilitate environment setup.
Audit Metadata