agent-browser
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill documentation mentions the
agent-browser installcommand for environment setup. The tool is hosted by Vercel Labs, which is a trusted and well-known technology organization. - [COMMAND_EXECUTION]: Commands are executed via the Bash tool to control the
agent-browserCLI. This includes anevalfeature for running JavaScript in the browser context, which is a core automation function but necessitates caution when handling dynamic inputs. - [PROMPT_INJECTION]: The skill is subject to indirect prompt injection as it processes content from external websites. \n
- Ingestion points: Loads and snapshots web pages via
agent-browser openandsnapshotas defined inSKILL.mdandtemplates/capture-workflow.sh. \n - Boundary markers: Recommends using
AGENT_BROWSER_CONTENT_BOUNDARIESto wrap page data in delimiters, reducing the likelihood of the agent obeying embedded instructions. \n - Capability inventory: The skill uses
Bash,Write, andReadtools, enabling it to perform shell operations and persist data locally. \n - Sanitization: Provides hardening via
AGENT_BROWSER_ALLOWED_DOMAINSandAGENT_BROWSER_ACTION_POLICYto restrict the agent's reach and available actions. - [DATA_EXFILTRATION]: Supports saving browser session states (cookies and auth tokens) to local files like
auth.json(references/authentication.md). While this allows for authentication persistence, these files contain sensitive data and should be protected from unauthorized access.
Audit Metadata