Agent Browser
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes untrusted content from the web while maintaining high-privilege browser capabilities.\n
- Ingestion points: The agent receives external data via
agent-browser snapshot,get text, andget html(SKILL.md).\n - Boundary markers: None identified in the documentation or command structure.\n
- Capability inventory: Includes
click,fill,upload,eval, and session management (SKILL.md).\n - Sanitization: No sanitization of the retrieved web content is performed before presentation to the agent.\n- [COMMAND_EXECUTION]: The skill provides an
evalcommand for executing arbitrary JavaScript within the browser context, representing a dynamic execution vector (SKILL.md).\n- [EXTERNAL_DOWNLOADS]: The skill facilitates downloading the CLI tool from npm and Vercel Labs' GitHub repository, which are trusted and well-known sources (SKILL.md).\n- [CREDENTIALS_UNSAFE]: Theset credentialscommand and session state management features (state save/load) involve handling authentication data that could be exposed in history or local files if not managed securely (SKILL.md).
Audit Metadata