Skills
skills/shanraisshan/claude-code-best-practice/agent-browser/Gen Agent Trust Hub

agent-browser

Pass

Audited by Gen Agent Trust Hub on Feb 18, 2026

Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION] (LOW): High surface for Indirect Prompt Injection. The agent navigates to and extracts text from potentially untrusted external websites which can contain malicious instructions intended to manipulate the agent's behavior.
  • Ingestion points: Commands like agent-browser open <url>, snapshot -i, and get text ingest untrusted content into the agent's context.
  • Boundary markers: The documentation does not specify the use of delimiters or 'ignore' instructions when processing site content.
  • Capability inventory: The tool allows for clicks, form fills, state management, and local file access.
  • Sanitization: There is no mention of sanitizing or filtering HTML content before the agent processes it.
  • [DATA_EXFILTRATION] (LOW): Local file access via --allow-file-access. This flag explicitly enables the browser to open file:// URLs, allowing it to read local system files (e.g., PDFs, HTML). If an agent is tricked via indirect injection to open a sensitive local file and then 'fill' that data into a remote form, exfiltration is possible.
  • [CREDENTIALS_UNSAFE] (LOW): Session state persistence. The state save auth.json command writes session cookies and authentication tokens to a plaintext JSON file. This file represents a sensitive credential that could be targeted by other malicious processes or skills.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 18, 2026, 11:22 AM