Browser Abstraction Layer
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill provides a high-risk surface for Indirect Prompt Injection (Category 8) because it fetches and processes untrusted external data.
- Ingestion points: The
urlparameter in thescrape_urlfunction (SKILL.md) allows the agent to ingest content from any external web source. - Boundary markers: There are no visible delimiters or 'ignore instructions' warnings in the implementation to separate scraped data from system instructions.
- Capability inventory: The skill utilizes powerful browser tools (Antigravity, Playwright, Hyperbrowser) capable of bypassing bot detection and session handling, which could be leveraged if the agent is compromised via injection.
- Sanitization: No sanitization or content filtering is implemented for the data returned from the browser providers before it is passed to the agent reasoning engine.
- COMMAND_EXECUTION (LOW): The skill performs local environment checks including
file_exists("~/.gemini/antigravity/")andRead("km-config.json"). While used for configuration, this demonstrates filesystem awareness and dependency on local files for logic steering.
Recommendations
- AI detected serious security threats
Audit Metadata