browse
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly susceptible to Indirect Prompt Injection because it ingests untrusted data from the web and possesses the capability to perform actions with side effects. Ingestion points: Webpage content retrieved from the user-specified 'start_url'. Boundary markers: No delimiters or safety instructions are provided to help the agent distinguish between webpage content and its original task instructions. Capability inventory: Includes 'clicking', 'typing', 'form filling', and 'data extraction' via the 'run_browsing_task' tool. Sanitization: There is no evidence of content sanitization or instruction filtering.
- [DATA_EXFILTRATION] (MEDIUM): The ability to extract structured data via 'output_fields' combined with browser automation poses an exfiltration risk. A malicious site could be designed to trigger the agent to extract and return sensitive data (e.g., from an authenticated user profile) to the prompt context.
Recommendations
- AI detected serious security threats
Audit Metadata