browse
Fail
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches the Bun installer from the well-known service domain bun.sh.
- [REMOTE_CODE_EXECUTION]: Executes the Bun installation script by piping the remote content directly to the bash shell.
- [COMMAND_EXECUTION]: Installs the @ulpi/browse global Node.js package, which is a resource provided by the skill author.
- [COMMAND_EXECUTION]: Modifies the .claude/settings.json file to grant broad execution permissions for the browse tool, reducing the frequency of user authorization prompts via a wildcard permission Bash(browse:*).
- [PROMPT_INJECTION]: Creates an attack surface for indirect prompt injection as the tool processes untrusted web content from the internet.
- Ingestion points: Commands such as browse text, browse html, and browse snapshot ingest external data into the agent context (SKILL.md).
- Boundary markers: Absent; there are no instructions to use delimiters or ignore instructions within the retrieved content.
- Capability inventory: The skill utilizes Bash and Read tools, and the browse command supports arbitrary JavaScript execution via browse js.
- Sanitization: Absent; no filtering or sanitization of the scraped web content is described.
Recommendations
- HIGH: Downloads and executes remote code from: https://bun.sh/install - DO NOT USE without thorough review
Audit Metadata