browser
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the
agent-browsercommand-line tool to perform automated browser actions such as navigation, interaction, and data extraction. - [EXTERNAL_DOWNLOADS]: The documentation references
npx @claude-flow/cli, which dynamically downloads and executes packages from the npm registry. - [CREDENTIALS_UNSAFE]: Includes commands to save and load browser session states (e.g.,
agent-browser --session nav state save auth.json). These files typically contain sensitive cookies and authentication tokens that could be exposed if the local environment is compromised. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection attacks where a malicious website could embed instructions designed to manipulate the agent's behavior.
- Ingestion points: Data enters the agent context through
agent-browser snapshot,get text,get html, andget titlecommands which parse external web content. - Boundary markers: The skill does not define specific delimiters or instructions to prevent the agent from obeying commands found within the accessibility tree or page text.
- Capability inventory: The agent has extensive control over the browser, including the ability to navigate to new URLs, fill forms, click elements, and persist session states.
- Sanitization: No sanitization or filtering of the ingested web content is described, though the use of an accessibility tree (snapshot) may reduce some surface area compared to raw HTML.
Audit Metadata