agent-browser
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes high-risk command-line arguments such as
--executable-pathand--extension, which allow the agent to execute arbitrary local binaries or load potentially malicious browser extensions.\n- [REMOTE_CODE_EXECUTION]: Theevalandwait --fncommands provide a mechanism for executing arbitrary JavaScript code within the browser context, which can be used to bypass security controls or manipulate page behavior.\n- [DATA_EXFILTRATION]: Theopencommand explicitly supports thefile://protocol, creating a risk for local file exposure where sensitive system files could be read into the browser and subsequently extracted.\n- [DATA_EXFILTRATION]: Commands likecookies,storage, andstate saveallow for the extraction and persistence of sensitive session data, including authentication tokens and cookies.\n- [PROMPT_INJECTION]: The skill is inherently vulnerable to Indirect Prompt Injection because its primary purpose is to ingest and process data from untrusted external websites.\n - Ingestion points:
agent-browser open <url>,agent-browser snapshot, and variousgetcommands (e.g.,get text,get html).\n - Boundary markers: No specific delimiters or instructions to ignore embedded commands are present in the skill definition or instructions.\n
- Capability inventory: Access to the file system (via
screenshot,pdf, andstate save), network access, and browser-side code execution (eval).\n - Sanitization: No evidence of content sanitization or validation of the data retrieved from the web.
Audit Metadata