agent-browser
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the 'agent-browser' CLI via Bash to perform browser operations. This enables the agent to interact with web pages and local files (for screenshots and PDFs) through system-level calls.
- [REMOTE_CODE_EXECUTION]: The 'agent-browser eval' command allows for the execution of arbitrary JavaScript within the browser context. This provides a mechanism for dynamic code execution that could be exploited if the agent is manipulated by malicious content on external websites.
- [DATA_EXFILTRATION]: The skill facilitates potential data exposure in two ways: first, the 'open' command supports the 'file://' protocol, which can be used to read local system files; second, the 'state save' command writes sensitive session state (cookies, storage) to local files. Improper handling of these state files could lead to the exposure of authentication credentials.
- [PROMPT_INJECTION]: The skill is subject to indirect prompt injection risks when interacting with untrusted web content.
- Ingestion points: Untrusted data enters the agent context through 'agent-browser snapshot', 'agent-browser get text', and 'agent-browser get html'.
- Boundary markers: While the skill uses element references (@e1) to structure interactions, it lacks explicit mechanisms to prevent the LLM from obeying instructions embedded within the text content of those elements.
- Capability inventory: The agent possesses high-impact capabilities including network routing, file system writes, and JavaScript execution.
- Sanitization: No evidence of sanitization or filtering was found for the web content processed by the LLM.
Audit Metadata