browser
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill ingests untrusted data from external websites via
agent-browser snapshotand accessibility trees. An attacker-controlled website can embed instructions to manipulate the agent. - Ingestion points: Data enters the context through
agent-browser open <url>andagent-browser snapshotoutputs. - Boundary markers: No explicit delimiters or instructions to ignore embedded content are present in the skill's logic.
- Capability inventory: The skill allows
click,fill,state save, andscreenshotoperations, which can be triggered by malicious instructions on a page. - Sanitization: There is no evidence of sanitization or filtering of the website content before it is processed by the AI.
- Data Exposure & Exfiltration (MEDIUM): The skill provides tools to save and load browser session states (
auth.json). This file contains sensitive session tokens and cookies. If the agent is manipulated into uploading this file via a network request or displaying its contents, it leads to full session compromise. - Command Execution (LOW): The skill functions by executing the
agent-browserCLI tool with user-controlled arguments such as URLs and element selectors. While necessary for the skill's purpose, it presents an attack surface if the underlying CLI does not properly sanitize input against shell metacharacters.
Recommendations
- AI detected serious security threats
Audit Metadata