agent-browser
Warn
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill provides an
evalcommand that allows the execution of arbitrary JavaScript within the browser context. This includes support for Base64-encoded payloads (-bflag) and input viastdin, which can be used to execute unverified logic or bypass shell escaping. - [DATA_EXFILTRATION]: The skill includes capabilities to access local host files using the
file://protocol when the--allow-file-accessflag is used. Additionally, thestate savecommand allows exporting sensitive session information, including cookies and local storage, to JSON files on the local filesystem. - [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection. The agent navigates to arbitrary URLs and processes the resulting page content via the
snapshotcommand. A malicious website could embed instructions in the DOM that the agent might follow, leveraging the skill's powerful automation features (likefillwith environment variables oreval) for unauthorized actions. Ingestion points: agent-browser snapshot (DOM content). Boundary markers: None provided in instructions. Capability inventory: Subprocess calls, file-write (state save, pdf, screenshot), network operations, and eval. Sanitization: None detected. - [COMMAND_EXECUTION]: The skill provides extensive control over browser sessions through the
agent-browserCLI, including network request interception, device emulation, and automated UI interaction.
Audit Metadata