agent-browser
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill instructions require the global installation of
agent-browservia NPM (npm install -g agent-browser). This package is not hosted in a trusted repository or organization as defined in the security policy, making it an unverifiable dependency that could execute arbitrary code during installation or runtime. - PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8) because it ingests untrusted data from external websites.
- Ingestion points: The
agent-browser snapshotcommand reads the DOM and accessibility tree of arbitrary websites and provides it to the agent context. - Boundary markers: There are no instructions or delimiters defined to separate web content from system instructions or to warn the agent to ignore instructions embedded in the page.
- Capability inventory: The skill possesses significant capabilities, including form filling (
fill), interaction (click,check), and authentication state management (state save/load). - Sanitization: No sanitization or filtering of the ingested web content is performed before processing.
Audit Metadata