Skills
skills/steveoon/agent-computer-user/agent-browser/Gen Agent Trust Hub

agent-browser

Pass

Audited by Gen Agent Trust Hub on Mar 9, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. A malicious website could include hidden instructions in its HTML (e.g., within accessibility labels or text content) that the agent may interpret as commands after performing a snapshot or get text operation.
  • Ingestion points: agent-browser snapshot, agent-browser get text, and agent-browser get title in SKILL.md provide external data to the agent.
  • Boundary markers: No boundary markers are defined to distinguish between the content of the website and the instructions for the agent.
  • Capability inventory: The skill possesses significant capabilities, including agent-browser fill, agent-browser click, and agent-browser state save as documented in SKILL.md.
  • Sanitization: There is no evidence of sanitization or filtering of the website content before it is processed by the agent.
  • [COMMAND_EXECUTION]: The skill uses an external CLI tool named agent-browser to perform all browser-related tasks. While these commands are standard for automation, they enable the agent to interact with the web and local file system (e.g., saving session state or screenshots) based on inputs that could be influenced by untrusted remote content.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 9, 2026, 07:34 PM