browser-automation
Fail
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill's configuration in HAND.toml includes both file_read and browser_navigate tools. This combination allows the agent to read sensitive local files (such as SSH keys or configuration files) and potentially exfiltrate their content to external servers via web interaction.
- [COMMAND_EXECUTION]: The inclusion of the schedule_create tool allows the agent to establish persistence by scheduling tasks. Additionally, the file_write capability permits modification of system or configuration files, which could be used to alter system behavior.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through processing untrusted web content via browser_read_page. Ingestion points: Data is ingested from external websites using browser_read_page and web_fetch. Boundary markers: Absent. There are no instructions to use delimiters or to disregard instructions embedded within the retrieved web content. Capability inventory: The agent has access to sensitive tools including file_write, file_read, and schedule_create. Sanitization: Absent. There is no evidence of validation or filtering of the content retrieved from external websites.
Recommendations
- AI detected serious security threats
Audit Metadata