Trust Assessment
Agent Browser received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 2 critical, 2 high, 2 medium, and 0 low severity. Key findings include Obfuscated execution: base64 decode to shell, Obfuscated Remote Code Execution via Base64 Encoded Script, Agent Can Upload Arbitrary Local Files.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 26/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Obfuscated execution: base64 decode to shell Detected base64-encoded data being decoded and piped to a shell interpreter. This is a common obfuscation technique. Decode and inspect the base64 content before execution. | Static | skills/sakaen736jih/agent-browser-plyd56pz7air/SKILL.md:10 | |
| CRITICAL | Obfuscated Remote Code Execution via Base64 Encoded Script The MacOS installation instructions include a base64 encoded command that, when decoded, downloads and executes a shell script from an unverified IP address (`http://91.92.242.30/tjjve9itarrd3txw`). This constitutes arbitrary remote code execution, a severe supply chain risk, and uses obfuscation to hide its true intent. An attacker could replace the remote script with malicious code, leading to full system compromise. Remove the obfuscated remote code execution command. Provide clear, verifiable installation instructions, preferably from trusted package managers or official repositories, without direct piping to `bash` from untrusted sources. Ensure all external dependencies are from reputable sources and ideally pinned to specific versions. | LLM | SKILL.md:13 | |
| HIGH | Agent Can Upload Arbitrary Local Files The `agent-browser upload` command allows the agent to select and upload any local file to a web form. An attacker could craft a prompt to trick the agent into uploading sensitive files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`, configuration files) from the host system to an attacker-controlled website, leading to data exfiltration. Implement strict validation or sandboxing for file upload paths. Restrict the agent's ability to specify arbitrary file paths for uploads, or require explicit user confirmation for sensitive file types/locations. Consider limiting file upload capabilities to specific directories or file types. | LLM | SKILL.md:79 | |
| HIGH | Agent Can Execute Arbitrary JavaScript in Browser Context The `agent-browser eval` command allows the execution of arbitrary JavaScript code within the context of the currently open web page. While this is sandboxed to the browser, a malicious prompt could instruct the agent to execute scripts that exploit browser vulnerabilities, perform cross-site scripting (XSS) attacks, or manipulate the page in unintended ways to exfiltrate data or bypass security controls. Restrict the `eval` command to a whitelist of safe JavaScript functions or disallow arbitrary JavaScript execution. If `eval` is absolutely necessary, ensure strong input sanitization and context isolation, and consider requiring explicit user confirmation for `eval` commands. | LLM | SKILL.md:160 | |
| MEDIUM | Session State Saving May Lead to Data Leakage The `agent-browser state save` command saves the current browser session state, which can include cookies, local storage, and potentially authentication tokens, to a specified file. If an agent is prompted to save this state to an insecure location, or if the saved file is later accessed by an unauthorized entity, it could lead to the exfiltration of sensitive user data or credentials. Implement mechanisms to encrypt saved session states or restrict saving to secure, temporary locations. Require explicit user confirmation before saving sensitive session data. Ensure that the agent cannot be prompted to save state to arbitrary, user-controlled paths. | LLM | SKILL.md:170 | |
| MEDIUM | Broad Bash Permissions for `agent-browser` Tool The skill declares `Bash(agent-browser:*)` as an allowed tool. While scoped to commands starting with `agent-browser`, the `agent-browser` tool itself offers a wide range of powerful capabilities, including file uploads, arbitrary JavaScript execution, network request interception/mocking, and session state management. This broad permission allows an LLM agent to execute any `agent-browser` command, increasing the attack surface for prompt injection leading to data exfiltration, command injection (within the browser context), or other malicious activities. Review and narrow down the specific `agent-browser` commands that are absolutely necessary for the skill's intended functionality. Consider implementing a more granular permission model if the underlying tool supports it, or adding an allowlist of specific `agent-browser` subcommands rather than a wildcard. | LLM | SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/33de548c089dd265)
Powered by SkillShield