agent-browser
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is configured to allow the agent to execute any sub-command of the inference.sh CLI using the
Bash(infsh *)permission string defined in the allowed-tools metadata.\n- [REMOTE_CODE_EXECUTION]: Through theexecutefunction, the skill allows for the execution of arbitrary JavaScript code within the context of the remote browser session. This is a powerful feature intended for scraping and automation but represents a dynamic code execution vector.\n- [DATA_EXFILTRATION]: Documentation inreferences/authentication.mdandtemplates/capture-workflow.shprovides examples of using JavaScript to extract sensitive information, including browser cookies and full-page text content, which could be exfiltrated if the agent is compromised.\n- [PROMPT_INJECTION]: The skill possesses a significant surface for indirect prompt injection because it is designed to ingest and process data from arbitrary, untrusted web sources.\n - Ingestion points: Untrusted data enters the agent context through the
open,snapshot, andexecutefunctions, as seen inSKILL.mdandtemplates/capture-workflow.sh.\n - Boundary markers: The skill does not implement boundary markers or instructions to the agent to ignore embedded commands within the extracted web content.\n
- Capability inventory: The agent has extensive capabilities to interact with the environment, including
click,fill,upload, andexecute(JavaScript), which could be triggered by instructions found on a malicious webpage.\n - Sanitization: No sanitization or filtering of external web content is performed before it is presented to the agent.
Audit Metadata