agent-browser
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- PROMPT_INJECTION (HIGH): The skill processes untrusted web content which can contain malicious instructions (Indirect Prompt Injection). Mandatory Evidence Chain: (1) Ingestion points: 'agent-browser open' and 'agent-browser snapshot' in SKILL.md. (2) Boundary markers: Absent. (3) Capability inventory: 'fill', 'click', 'upload', 'state save', 'eval', and 'record'. (4) Sanitization: Absent.
- DATA_EXFILTRATION (HIGH): The tool can access and export sensitive information using 'cookies', 'storage local', and 'state save'. The 'upload' command can be used to send local files to attacker-controlled sites.
- COMMAND_EXECUTION (HIGH): The 'eval' command allows execution of arbitrary JavaScript within the browser context.
- EXTERNAL_DOWNLOADS (MEDIUM): Requires global installation of 'agent-browser' via bun, which is an untrusted external dependency.
Recommendations
- AI detected serious security threats
Audit Metadata