browser
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes a CLI tool to perform browser automation, including the ability to execute arbitrary JavaScript via an
eval --stdincommand. This allows for dynamic code execution within the browser context during data extraction tasks. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its core function of ingesting and processing untrusted data from external websites. An attacker could place malicious instructions on a webpage to influence the agent's subsequent actions.
- Ingestion points: Browser commands such as
open URL,snapshot, andscrapein SKILL.md. - Boundary markers: None specified in the instructions to separate external page content from agent instructions.
- Capability inventory: The agent can execute CLI commands, run JavaScript in the browser, and perform file system operations (state saving).
- Sanitization: No sanitization or validation of extracted page content is described before it is used in automation flows.
- [CREDENTIALS_UNSAFE]: The documentation encourages the use of
state save ./auth.jsonto persist browser sessions. Storing authentication states (like cookies and session tokens) in local files can lead to credential exposure if the file is not properly protected or is inadvertently included in version control.
Audit Metadata