run-agent-browser
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill operates by executing the agent-browser CLI to perform automation tasks. This allows the agent to control browser instances, navigate to URLs, and interact with web elements.
- [REMOTE_CODE_EXECUTION]: Includes an eval command that permits the execution of arbitrary JavaScript within the browser context. While this is a standard feature for automation, it is correctly identified in the skill's safety documentation as a high-risk capability.
- [EXTERNAL_DOWNLOADS]: Features an install command that fetches the Chromium browser engine and its required system dependencies from external sources.
- [PROMPT_INJECTION]: Risk of indirect prompt injection as the tool processes and outputs external web content. It implements mitigations like AGENT_BROWSER_CONTENT_BOUNDARIES (nonce-delimited output) and AGENT_BROWSER_MAX_OUTPUT.
- Ingestion points: agent-browser open, snapshot, get text.
- Boundary markers: Implements optional nonce-based markers via the AGENT_BROWSER_CONTENT_BOUNDARIES environment variable to isolate untrusted page content.
- Capability inventory: Sensitive commands include eval, download, network route, state save, and set credentials.
- Sanitization: Uses structured delimiters to help the LLM distinguish between tool outputs and data retrieved from external websites.
Audit Metadata