real-browser
Fail
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The script
scripts/real_browser.shprogrammatically copies the user's sensitive browser data, includingCookies,Login Data(containing saved passwords), andWeb Data, from the system's default Chrome profile directory to a secondary location. - [COMMAND_EXECUTION]: The skill launches the Chrome browser with the
--remote-debugging-portflag enabled, allowing any process with network access to the specified port to control the browser. It also executes various shell utilities for file manipulation and process control. - [DATA_EXFILTRATION]: By cloning the user's authenticated session data and exposing it via a debugging port, the skill makes the user's active logins and private data available to the AI agent and potentially other local processes.
- [PROMPT_INJECTION]: The skill is designed to interact with external websites while maintaining the user's login state, which creates a large attack surface for indirect prompt injection.
- Ingestion points:
agent-browser opencommand inSKILL.mdallows navigating to arbitrary web URLs. - Boundary markers: Absent in
SKILL.md; there are no instructions to the agent to differentiate between website content and system instructions. - Capability inventory: The
agent-browsertool inSKILL.mdprovides high-privilege interactions likeclick,fill, andeval(JavaScript execution) within the browser context. - Sanitization: Absent in both
SKILL.mdandscripts/real_browser.sh; the skill does not include any mechanisms to sanitize or filter untrusted data from web pages.
Recommendations
- AI detected serious security threats
Audit Metadata