agent-browser
Warn
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill provides documentation and templates for extracting session cookies using arbitrary JavaScript execution (e.g.,
document.cookie). This capability allows the agent to access and potentially exfiltrate sensitive authentication tokens from the browser context to external environments. - [COMMAND_EXECUTION]: The skill uses the
infshCLI tool for all operations via the allowed Bash tool. This dependency introduces risks associated with external binary execution and command interpolation within the shell environment. - [EXTERNAL_DOWNLOADS]: The documentation points to an external source for the required CLI installation at
https://raw.githubusercontent.com/inference-sh/skills/refs/heads/main/cli-install.md, which is a remote resource not controlled by the skill's author context. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. Ingestion points: Untrusted data is ingested from any URL accessed via the
openfunction or content retrieved through thesnapshotandexecutefunctions. Boundary markers: The skill lacks delimiters or instructions to ignore embedded commands in the processed web content. Capability inventory: The skill possesses high-privilege capabilities including arbitrary JavaScript execution, form filling, and interaction with page elements. Sanitization: There is no evidence of sanitization or filtering of the content extracted from web pages before it is returned to the agent context.
Audit Metadata