agent-browser
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on the Bash tool to execute
agent-browserCLI commands. It also includes commands likeagent-browser state savethat allow the agent to persist session data (cookies, storage) to the local file system, creating a persistence mechanism for authenticated sessions.\n- [REMOTE_CODE_EXECUTION]: Theevalcommand enables the execution of arbitrary JavaScript within the browser context. The documentation highlights the use of Base64 encoding (-b) and stdin to provide scripts, which can be leveraged to bypass shell escaping or obfuscate malicious code payloads.\n- [DATA_EXFILTRATION]: The tool supports the--allow-file-accessflag, permitting the browser to open and read local system files viafile://URLs. This capability, when paired with the browser's ability to navigate to external websites, provides a direct vector for reading and exfiltrating sensitive local data.\n- [EXTERNAL_DOWNLOADS]: The skill suggests usingnpx agent-browser, which dynamically downloads and executes the package from the npm registry at runtime.\n- [PROMPT_INJECTION]: The skill's architecture is vulnerable to indirect prompt injection as it processes untrusted content from the web and provides the agent with powerful tools to act on that content.\n - Ingestion points: Web page content fetched through
open,snapshot, andget textcommands (found in SKILL.md and references/commands.md).\n - Boundary markers: None identified in the output returned to the agent.\n
- Capability inventory: Includes arbitrary JavaScript execution, local file system access, and session persistence.\n
- Sanitization: There is no evidence of sanitization for the content extracted from web pages before it is presented to the agent.
Audit Metadata