Skills
NYC
skills/web-infra-dev/midscene-skills/Browser Automation/Gen Agent Trust Hub

Browser Automation

Fail

Audited by Gen Agent Trust Hub on Feb 15, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION] (HIGH): The skill uses npx @midscene/web@1 to download and execute code from an external repository (npm) that is not in the trusted source list. This creates a risk of supply chain attacks or execution of unverified logic.
  • [PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection. It uses vision-based AI to interpret web page content and execute high-level actions (act) based on those interpretations. Ingestion points: Arbitrary web page content via connect --url and screenshots. Boundary markers: Absent; the agent is not instructed to isolate web content from its core instructions. Capability inventory: The skill can click, type, navigate, and has access to the system Bash tool. Sanitization: Absent; visual information is passed directly to the model's reasoning process.
  • [COMMAND_EXECUTION] (MEDIUM): The skill uses the Bash tool to run automation commands. If an indirect injection occurs, this capability can be leveraged to run malicious shell commands on the host system.
  • [DATA_EXFILTRATION] (MEDIUM): The skill can take screenshots of any page and save them locally. While not direct exfiltration, it allows for the unauthorized capture of potentially sensitive UI data (e.g., logged-in sessions or internal tools).
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 15, 2026, 10:45 PM