agent-browser
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is designed to process content from arbitrary web pages which can contain adversarial instructions meant to hijack the agent's behavior. 1. Ingestion points:
agent-browser open,snapshot, andget textcommands in SKILL.md. 2. Boundary markers: Absent. 3. Capability inventory: Interaction commands likeclick,fill, andstate saveallow a hijacked agent to perform sensitive actions. 4. Sanitization: Absent. - [External Downloads] (HIGH): The installation instructions require downloading a global npm package from an unverified source and subsequently downloading a binary (Chromium).
- [Data Exposure & Exfiltration] (MEDIUM): The skill can save and load authentication states (
auth.json), which contains sensitive session tokens. If an attacker can influence the agent via an untrusted page, they could potentially steal these tokens. - [Command Execution] (LOW): The skill executes various CLI commands to control the browser, which increases the impact of any potential injection attack.
Recommendations
- AI detected serious security threats
Audit Metadata