Trust Assessment
Agent Browser received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 3 high, 1 medium, and 0 low severity. Key findings include Excessive Permissions: Arbitrary JavaScript Execution, Data Exfiltration & Credential Harvesting via Browser Data Access, Potential Command Injection via Unquoted Arguments.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Excessive Permissions: Arbitrary JavaScript Execution The `agent-browser eval` command allows arbitrary JavaScript execution within the context of the browsed web page. This grants the agent full control over the page's Document Object Model (DOM), network requests, and access to sensitive browser-side data like cookies and local storage. An attacker could craft malicious JavaScript to exfiltrate data, manipulate the page, or potentially exploit browser vulnerabilities. The `Bash(agent-browser:*)` permission enables the LLM to execute this powerful command. Restrict the use of `agent-browser eval` or implement strict input validation and sanitization for any JavaScript code passed to it. Consider if this level of control is truly necessary for the skill's intended purpose. | LLM | SKILL.md:204 | |
| HIGH | Data Exfiltration & Credential Harvesting via Browser Data Access The skill provides direct commands (`agent-browser cookies`, `agent-browser storage local`, `agent-browser get ...`) to retrieve sensitive information such as HTTP cookies, local storage data, and arbitrary element attributes/values from web pages. This data can include session tokens, user credentials, or other private information, which can then be exfiltrated via the agent's output. The `Bash(agent-browser:*)` permission allows the LLM to execute these commands. Implement strict controls over which `agent-browser` commands can be executed, especially those that retrieve sensitive browser data. Ensure that agent output is not logged or stored in insecure locations, and that sensitive data is masked or redacted before being exposed. | LLM | SKILL.md:174 | |
| HIGH | Potential Command Injection via Unquoted Arguments The skill uses `Bash(agent-browser:*)` permissions, allowing the agent to execute `agent-browser` commands via the shell. If user-provided input (e.g., URLs, filenames, text content for `fill` or `type` commands) is directly interpolated into these shell commands without proper escaping or quoting by the LLM, it could lead to command injection. An attacker could inject arbitrary shell commands by crafting malicious input, potentially leading to arbitrary code execution on the host system. Ensure that the LLM strictly quotes or escapes all user-provided arguments when constructing `agent-browser` commands for Bash execution. Implement robust input validation and sanitization for all user-controlled parameters to prevent shell metacharacters from being interpreted. | LLM | SKILL.md:20 | |
| MEDIUM | Supply Chain Risk: Unpinned Dependency Version The skill's installation instructions recommend installing `agent-browser` via `npm install -g agent-browser` without specifying a version. This introduces a supply chain risk, as future installations might pull a new version of the `agent-browser` CLI that could contain vulnerabilities or malicious code, impacting the security of the agent's operations. Pin the version of `agent-browser` in the installation instructions (e.g., `npm install -g agent-browser@x.y.z`) to ensure deterministic and secure deployments. Regularly review and update the pinned version after security vetting. | LLM | SKILL.md:10 |
Scan History
Embed Code
[](https://skillshield.io/report/b0a37874c7313d73)
Powered by SkillShield