agent-browser-3
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The
agent-browser evalcommand allows for the execution of arbitrary JavaScript code within the browser context, which can be used to manipulate page state or access internal browser data. - [COMMAND_EXECUTION]: The
--executable-pathglobal option enables the agent to specify and execute any local binary, potentially allowing for the execution of non-browser malicious files if the path is manipulated. - [DATA_EXFILTRATION]: The skill provides tools for reading and exporting sensitive session data. Commands such as
agent-browser cookies,agent-browser storage, andagent-browser state savecan be used to extract authentication tokens and session identifiers, which are then stored in local JSON files (e.g.,auth.json,auth-state.json). - [PROMPT_INJECTION]: The skill exhibits a significant vulnerability surface for Indirect Prompt Injection (Category 8) due to its core function of processing untrusted web data.
- Ingestion points: The agent ingests external, untrusted content through commands like
agent-browser open,snapshot,get text, andget htmlacross all provided templates and documentation. - Boundary markers: No boundary markers, delimiters, or explicit instructions to ignore embedded commands are present in the skill's logic or documentation.
- Capability inventory: The skill possesses high-impact capabilities including arbitrary JavaScript execution (
eval), form interaction (fill,click), and credential management (set credentials). - Sanitization: No sanitization, validation, or filtering of the retrieved web content is performed before it is added to the agent's context.
Audit Metadata