agent-browser
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- Unverifiable Dependencies & Remote Code Execution (MEDIUM): The skill requires the installation of the 'agent-browser' package via 'npm install -g agent-browser'. This package is not from a trusted organization or repository, posing a risk of executing unverified code.
- Command Execution (LOW): The skill relies on shell commands to control a browser instance. While this is the primary function, it gives the agent programmatic control over a complex environment.
- Indirect Prompt Injection (LOW):
- Ingestion points: Commands like 'snapshot' and 'get text' ingest untrusted content from the web into the agent's context.
- Boundary markers: The instructions lack markers or warnings to ignore instructions embedded in retrieved web content.
- Capability inventory: Includes full browser control, form submission, and session management.
- Sanitization: No content validation or sanitization is performed on web data.
- Data Exposure & Exfiltration (LOW): The 'state save' command allows saving session cookies and authentication tokens to a local file ('auth.json'), creating a sensitive target for potential exfiltration.
Audit Metadata