Skills
skills/shipshitdev/skills/agent-browser/Gen Agent Trust Hub

agent-browser

Warn

Audited by Gen Agent Trust Hub on Apr 10, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses the Bash tool to execute subcommands of the agent-browser CLI, granting the agent full control over a browser environment on the local system.
  • [CREDENTIALS_UNSAFE]: Includes explicit commands for handling sensitive authentication data, such as set credentials for HTTP basic authentication, and commands to read/manipulate cookies and storage local (localStorage).
  • [CREDENTIALS_UNSAFE]: The documentation promotes a pattern of saving browser session states (including session tokens and cookies) to local JSON files (e.g., auth.json), which could lead to credential exposure if the filesystem is shared or compromised.
  • [REMOTE_CODE_EXECUTION]: The eval command allows for the execution of arbitrary JavaScript code within the context of the currently loaded web page, which can be used to bypass UI-based data extraction or manipulate page logic.
  • [DATA_EXFILTRATION]: Provides multiple methods to extract data from web pages (get text, get html, screenshot, pdf, record) which can then be saved to the local filesystem or potentially transmitted externally via the upload or open commands.
  • [EXTERNAL_DOWNLOADS]: The command reference documentation specifies the installation of an external global package agent-browser via npm, which is required for the skill to function.
  • [PROMPT_INJECTION]: The skill exhibits a significant attack surface for indirect prompt injection as it is designed to ingest and act upon data from external, untrusted websites.
  • Ingestion points: Raw web page content accessed via snapshot, get text, get html, and browser console logs.
  • Boundary markers: None identified. There are no instructions provided to the agent to treat website content as data or to ignore instructions embedded within the DOM.
  • Capability inventory: The skill possesses powerful capabilities including filesystem writes (screenshot, pdf, state save), network navigation (open, tab new), and dynamic execution (eval).
  • Sanitization: None identified. Data retrieved from the browser is passed directly into the agent's context without filtering or sanitization.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 10, 2026, 09:45 AM