agent-browser
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [Dynamic Execution] (MEDIUM): The skill includes an
evalcommand that allows arbitrary JavaScript execution in the browser. - Evidence:
agent-browser eval "document.title"command inSKILL.md. - Risk: This can be used to manipulate page logic, bypass security controls, or exfiltrate sensitive data from the browser's memory or DOM.
- [Data Exposure & Exfiltration] (MEDIUM): Commands like
set credentialsandstate save/loadhandle sensitive authentication information. - Evidence:
agent-browser set credentials user passandagent-browser state save auth.jsoninSKILL.md. - Risk: Handling credentials via CLI and saving authentication state (cookies/tokens) to local files creates a risk of exposure if logs or the filesystem are accessed by unauthorized parties.
- [Indirect Prompt Injection] (LOW): The skill is a high-risk surface for indirect prompt injection as it processes data from untrusted external websites.
- Ingestion points:
agent-browser open,snapshot, andget textfetch content from arbitrary URLs. - Boundary markers: No specific markers are used to isolate untrusted web content from agent instructions.
- Capability inventory: The agent has access to
Bashcommands, file system writes (screenshot,pdf), and the ability to execute network requests via the browser. - Sanitization: There is no evidence of sanitization or filtering of the web content before it is processed by the LLM.
- [Privilege Escalation] (MEDIUM): The
--cdpflag allows connecting to a running browser instance. - Evidence:
agent-browser --cdp 9222 snapshotinSKILL.md. - Risk: This could allow an agent to hijack an existing user session via the Chrome DevTools Protocol, gaining access to authenticated sites and private data without explicit user consent.
Audit Metadata