agent-browser
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection. • Ingestion points: The
agent-browser open <url>command allows the agent to navigate to arbitrary, potentially malicious web pages. • Boundary markers: There are no explicit delimiters or instructions to ignore embedded commands within the fetched web content. • Capability inventory: The skill can execute shell commands (agent-browser), write files (state save,download,screenshot), and execute JavaScript (eval). • Sanitization: No sanitization or filtering of web content is performed before it is presented to the agent. - [COMMAND_EXECUTION]: The skill relies on executing the
agent-browserCLI tool via shell commands (e.g.,agent-browser open,agent-browser snapshot) to automate browser tasks. - [CREDENTIALS_UNSAFE]: The
agent-browser state save auth.jsonandagent-browser state load auth.jsoncommands handle sensitive browser state, including session cookies and authentication tokens, storing them in local files without encryption. - [REMOTE_CODE_EXECUTION]: The
agent-browser evalcommand allows for the execution of arbitrary JavaScript within the browser context, which could be exploited to run malicious scripts if an attacker can control the input or the page content.
Audit Metadata