web-access
Warn
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes multiple local shell scripts (
check-deps.sh,ensure-browser.sh,close-browser.sh) to detect dependencies, manage Chrome processes, and interact with the browser via theagent-browserCLI. - [DATA_EXFILTRATION]: The skill creates and accesses a persistent browser profile at
~/.claude/browser-profile/. This directory contains sensitive user data, including authentication cookies, session tokens, and browsing history, which are maintained across sessions to facilitate persistent logins. - [REMOTE_CODE_EXECUTION]: The skill uses
agent-browser --evalto execute arbitrary JavaScript within the browser context for tasks such as extracting image URLs and video metadata. This represents a dynamic code execution surface. - [PROMPT_INJECTION]: The skill is inherently susceptible to indirect prompt injection as its primary function is to fetch and process untrusted content from the public web.
- Ingestion points: Untrusted data enters the agent context via
agent-browser snapshot,get text, and DOM extraction viaeval(documented inSKILL.md). - Boundary markers: Absent. The skill does not implement specific delimiters or instructions to ignore commands embedded in retrieved web content.
- Capability inventory: The skill possesses significant capabilities including arbitrary browser interaction (click, fill, type), shell script execution, and local filesystem access (documented in
scripts/andSKILL.md). - Sanitization: No sanitization or filtering of fetched web content is observed before the data is passed to the agent for analysis.
Audit Metadata