steel-browser
Fail
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructs users and agents to install the Steel CLI using the command
curl -sSf https://setup.steel.dev/install.sh | sh. This is a high-risk pattern that executes remote code from the internet directly in the shell without any verification of the script's contents or integrity. - [COMMAND_EXECUTION]: The skill relies on the
steelcommand-line tool for all operations. This includes starting browser sessions, executing JavaScript, and managing persistent session states on the local system. - [EXTERNAL_DOWNLOADS]: The skill requires downloading the CLI tool and suggests installing various SDKs (
steel-sdk,playwright,puppeteer) from public registries (NPM/PyPI). - [DATA_EXFILTRATION]: The
steel browser cookiesandsteel browser storagecommands provide access to sensitive session data. If the agent is compromised via indirect injection, these tools could be used to harvest and exfiltrate user credentials or session tokens. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its core function of processing arbitrary web content.
- Ingestion points:
steel scrapeandsteel browser navigatefetch content from untrusted external URLs. - Boundary markers: The skill does not provide instructions to the agent to distinguish between its own operational instructions and content found on target websites.
- Capability inventory: The toolset includes
steel browser eval, which allows execution of arbitrary JavaScript in the browser context, and the ability to capture screenshots or PDFs. - Sanitization: There is no evidence of sanitization of the scraped content before it is provided to the agent.
Recommendations
- HIGH: Downloads and executes remote code from: https://setup.steel.dev/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata