amazon
Warn
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill utilizes a dedicated Chrome user data directory at
$HOME/.config/chrome-agent. This directory contains sensitive information including session cookies, login credentials, and personal browsing history. - [CREDENTIALS_UNSAFE]: The setup instructions require sensitive personal information, specifically
AMAZON_SHIPPING_ADDRESSandAMAZON_PAYMENT_METHOD, to be stored in environment variables, which may be accessible to other processes or logged in shell history. - [COMMAND_EXECUTION]: The skill leverages the
agent-browserCLI to perform high-stakes automated actions. It is specifically designed to bypass manual confirmation for reorders ("Place order without confirmation"), which increases the risk of unauthorized financial transactions. - [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection because it processes content from Amazon.com (product descriptions, reviews, and search results) which is externally controlled and untrusted.
- Ingestion points: The agent navigates to and reads data from Amazon product pages and order histories.
- Boundary markers: No delimiters or "ignore embedded instructions" warnings are used when the agent processes web content.
- Capability inventory: The agent has the capability to click buttons, navigate URLs, and execute purchases through the
agent-browsertool. - Sanitization: There is no evidence of sanitization, filtering, or validation of the content retrieved from the browser before the agent acts upon it.
Audit Metadata