agent-browser
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) as it is designed to navigate and extract data from untrusted external websites.\n
- Ingestion points: Web content is ingested into the agent context through the
snapshotfunction (returningelements_text) and theexecutefunction (extracting data likedocument.body.innerTextintemplates/capture-workflow.sh).\n - Boundary markers: There are no explicit delimiters or system instructions provided within the skill to differentiate untrusted web content from legitimate agent instructions.\n
- Capability inventory: The skill possesses high-impact capabilities including browser interaction (
click,fill,type), arbitrary JavaScript execution (execute), and file uploads (upload).\n - Sanitization: No sanitization of the scraped web content is performed before presentation to the agent.\n- [COMMAND_EXECUTION]: The
executefunction enables the execution of arbitrary JavaScript within the browser context. This is a powerful dynamic execution capability (Category 10) that could be used to extract sensitive session data such as cookies or local storage if the agent is directed to a malicious site.\n- [EXTERNAL_DOWNLOADS]: The skill's setup instructions and documentation require the installation and use of theinfshCLI tool, which is downloaded from an external third-party source usingnpx skills add inference-sh/skills@agent-tools.
Audit Metadata