agent-browser
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill utilizes npx to download and execute the agent-browser package from the NPM registry. This is the primary tool used for browser automation.
- [COMMAND_EXECUTION]: The skill makes extensive use of Bash commands to interact with the browser CLI. This includes an eval command for executing arbitrary JavaScript within the web page context, and various commands for clicking, filling forms, and navigating.
- [DATA_EXFILTRATION]: The tool can extract information from the browser session, including page text, screenshots, and clipboard data. It also allows saving the entire session state (including cookies and localStorage) to local files. These files may contain sensitive authentication tokens and are stored in plaintext by default unless an encryption key is provided via environment variables.
- [PROMPT_INJECTION]: The skill has a high surface area for indirect prompt injection because its core function is to browse and extract content from untrusted third-party websites.
- Ingestion points: Data is ingested via open, snapshot, and get text commands.
- Boundary markers: The tool provides an optional --content-boundaries flag which wraps page content in nonces to help the agent distinguish it from instructions.
- Capability inventory: The tool possesses powerful capabilities including JavaScript execution (eval), form interaction (fill, click), and clipboard access (clipboard write).
- Sanitization: There is no built-in default sanitization of ingested content before it is returned to the agent context.
Audit Metadata