Skills
skills/workleap/wl-web-configs/agent-browser/Gen Agent Trust Hub

agent-browser

Warn

Audited by Gen Agent Trust Hub on Mar 11, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill provides an eval command that allows the execution of arbitrary JavaScript within the browser context. The documentation in references/commands.md suggests using Base64 encoding (eval -b) to bypass shell interpretation, which can also be used to obfuscate the intent of complex scripts.
  • [DATA_EXFILTRATION]: The skill supports an --allow-file-access flag which permits the browser to read local files via file:// URLs as noted in SKILL.md. This capability allows access to sensitive local information if an agent is manipulated into accessing local paths and then sending data to a remote URL.
  • [CREDENTIALS_UNSAFE]: The skill manages session persistence by saving cookies and local storage to JSON files via agent-browser state save (references/session-management.md). These files contain sensitive session tokens and represent a risk of credential exposure if stored on an insecure filesystem.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests untrusted data from any URL provided. Ingestion points: Data enters the agent context through snapshot, get text, and screenshot commands (references/commands.md). Boundary markers: The skill provides an optional AGENT_BROWSER_CONTENT_BOUNDARIES feature that wraps page output in nonce-based markers to help the agent distinguish untrusted content (SKILL.md). Capability inventory: The agent can execute JavaScript (eval), manipulate the filesystem (state save), and interact with web forms (click, fill) (SKILL.md). Sanitization: No explicit sanitization or filtering of the ingested web content is performed before it is presented to the agent.
  • [COMMAND_EXECUTION]: The skill executes npx agent-browser commands via the host shell, granting the agent control over a browser daemon (SKILL.md). It also supports connecting to existing Chrome instances via the Chrome DevTools Protocol (--auto-connect), which could be used to interact with a user's active browser sessions.
  • [EXTERNAL_DOWNLOADS]: The skill instructions in SKILL.md and references/commands.md describe downloading and running the agent-browser package from the npm registry using npx, as well as installing appium and its drivers.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 11, 2026, 03:43 PM