Trust Assessment
agent-browser received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 0 critical, 3 high, 2 medium, and 0 low severity. Key findings include Path Traversal in Output Directory, Path Traversal in State File Save, Explicit Use of Environment Variables for Credentials.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 41/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Path Traversal in Output Directory The `templates/capture-workflow.sh` script uses the `$OUTPUT_DIR` variable, derived directly from untrusted user input (`$2`), to create directories and save files. An attacker can provide a path traversal sequence (e.g., `../../../../tmp`) as `OUTPUT_DIR` to write files to arbitrary locations on the filesystem, potentially overwriting critical system files or exfiltrating data by writing to publicly accessible directories. Sanitize or validate the `$OUTPUT_DIR` input to prevent path traversal. Ensure it only contains allowed characters and does not start with `/` or contain `../`. Alternatively, restrict the output directory to a predefined, secure location. | LLM | templates/capture-workflow.sh:10 | |
| HIGH | Path Traversal in State File Save The `templates/authenticated-session.sh` script uses the `$STATE_FILE` variable, derived directly from untrusted user input (`$2`), to save authentication state. An attacker can provide a path traversal sequence (e.g., `../../../../etc/passwd`) as `STATE_FILE` to write sensitive browser state data to arbitrary locations, potentially overwriting critical system files or exfiltrating data. Sanitize or validate the `$STATE_FILE` input to prevent path traversal. Ensure it only contains allowed characters and does not start with `/` or contain `../`. Alternatively, restrict the state file to a predefined, secure location. | LLM | templates/authenticated-session.sh:89 | |
| HIGH | Arbitrary Executable/Extension Loading The `agent-browser` tool, as documented in `SKILL.md`, allows specifying a custom browser executable path (`--executable-path`) and loading arbitrary browser extensions (`--extension`). It also supports environment variables `AGENT_BROWSER_EXECUTABLE_PATH` and `AGENT_BROWSER_EXTENSIONS`. If an attacker can control the arguments passed to `agent-browser` or these environment variables, they could inject and execute arbitrary malicious binaries or browser extensions, leading to full system compromise or data exfiltration. Restrict the `Bash` tool's arguments to `agent-browser` to disallow `--executable-path` and `--extension` options. If custom executables or extensions are required, they should be pre-approved and whitelisted, not dynamically provided by untrusted input. | LLM | SKILL.md:249 | |
| MEDIUM | Explicit Use of Environment Variables for Credentials The `templates/authenticated-session.sh` script, in its commented-out 'LOGIN FLOW' section, explicitly demonstrates and encourages the use of `APP_USERNAME` and `APP_PASSWORD` environment variables for authentication. While commented out, this pattern suggests that the skill is designed to accept credentials via environment variables. If an attacker can manipulate the agent's environment or prompt it to provide these variables, it facilitates credential harvesting or misuse. Avoid passing sensitive credentials directly via environment variables, especially if the agent's environment can be influenced by untrusted input. Consider using a secure secrets management system or prompting the user for credentials interactively in a secure manner, rather than relying on environment variables. | LLM | templates/authenticated-session.sh:76 | |
| MEDIUM | Broad Data Extraction and Exfiltration Capabilities The `agent-browser` tool provides extensive capabilities for extracting data from web pages (`get text`, `get html`, `get url`, `cookies`, `storage`) and uploading local files (`upload`). It also allows setting arbitrary HTTP headers (`set headers`). If an attacker can control the target URL, the elements to extract, the file to upload, or the header values, they could exfiltrate sensitive information from internal web applications or local files to an attacker-controlled server. This is an inherent risk of a powerful browser automation tool when exposed to untrusted input. Implement strict input validation and sanitization for all arguments passed to `agent-browser` commands, especially those controlling URLs, file paths, and data extraction targets. Consider whitelisting allowed domains for navigation and restricting file upload/download paths to secure, isolated directories. Limit the agent's ability to set arbitrary HTTP headers. | LLM | SKILL.md:109 |
Scan History
Embed Code
[](https://skillshield.io/report/699c7ce4e5ecdf75)
Powered by SkillShield