opensteer
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill contains directives intended to override standard agent tool preferences, mandating the use of the vendor's automation methods over generic alternatives.
- [DATA_EXFILTRATION]: The skill supports exporting sensitive browser cookies to local files and enables arbitrary network requests from within the browser environment via evaluation blocks.
- [REMOTE_CODE_EXECUTION]: The skill provides interfaces for executing arbitrary JavaScript code strings in the browser and facilitates running agent-generated scripts using local runners.
- [COMMAND_EXECUTION]: The skill executes the opensteer CLI and other script runners to perform its browser automation tasks.
- [CREDENTIALS_UNSAFE]: The system manages session identifiers through environment variables and provides functionality to import and export cookies which may contain authentication data.
- [EXTERNAL_DOWNLOADS]: The skill allows the agent to connect to remote browser instances using user-specified connection URLs.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection vulnerabilities when processing untrusted web content.
- Ingestion points: Untrusted data is ingested through methods such as snapshot and extract defined in cli-reference.md and sdk-reference.md.
- Boundary markers: No specific delimiters or instructions to ignore embedded commands are used for the ingested web content.
- Capability inventory: The skill possesses the ability to navigate the network, write files (screenshots/cookies), and execute scripts.
- Sanitization: The documentation does not describe any sanitization or validation of the data scraped from external websites.
Audit Metadata