browser
Warn
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes external shell commands such as
agent-browserandnpx @claude-flow/clito perform its operations. - [EXTERNAL_DOWNLOADS]: Uses
npxto download and execute the@claude-flow/clipackage from the NPM registry at runtime. - [REMOTE_CODE_EXECUTION]: Running
npxallows for the execution of remotely hosted code packages during skill execution. - [DATA_EXFILTRATION]: The skill manages authentication states by saving and loading
auth.jsonfiles, which typically contain sensitive session tokens or cookies. Additionally, it can capture and return screenshots and page content to the agent. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It ingests untrusted data from external websites via snapshots and text extraction, which could contain malicious instructions designed to manipulate the agent's behavior.
- Ingestion points: Web content processed via
agent-browser snapshot,get text, andget html(SKILL.md). - Boundary markers: None explicitly defined to separate untrusted web content from system instructions.
- Capability inventory: Subprocess calls for browser interaction, file-write for auth state, and network access via the browser (SKILL.md).
- Sanitization: No explicit sanitization or filtering of scraped content is mentioned.
Audit Metadata