Trust Assessment
agent-browser received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 2 critical, 2 high, 0 medium, and 0 low severity. Key findings include Arbitrary JavaScript Execution via agent-browser eval, Arbitrary File System Read/Write via agent-browser commands, Excessive Permissions granted by Bash(agent-browser:*).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary JavaScript Execution via agent-browser eval The `agent-browser eval` command allows executing arbitrary JavaScript code within the context of the currently loaded web page. An attacker can leverage this to perform actions like exfiltrating sensitive data (cookies, local storage, DOM content) from the visited website to an attacker-controlled server, manipulating the page DOM to phish users, or triggering further vulnerabilities. This is a direct command injection vector within the browser's JavaScript engine. Restrict the `eval` command or implement a strict allowlist for JavaScript functions/properties that can be accessed. Consider sandboxing the execution environment more aggressively or removing the `eval` capability if not strictly necessary. | LLM | SKILL.md:208 | |
| CRITICAL | Arbitrary File System Read/Write via agent-browser commands The `agent-browser` tool can read and write files to arbitrary locations on the host system. The `agent-browser open file:///path/to/file` command allows reading local files. Commands like `agent-browser screenshot /path/to/output.png`, `agent-browser pdf /path/to/output.pdf`, `agent-browser upload @e1 /path/to/file.pdf`, and `agent-browser state save /path/to/state.json` allow writing files. This capability can lead to data exfiltration (e.g., reading sensitive system files like `/etc/passwd` or SSH keys) or command injection (e.g., writing malicious scripts to executable paths or overwriting critical system files). The example scripts `authenticated-session.sh` and `capture-workflow.sh` also demonstrate saving state and output to user-controlled paths, which an attacker could redirect. Implement strict path validation and sandboxing for all file operations. Restrict `file://` access. Ensure that output paths are confined to a secure, temporary, and isolated directory. Do not allow user-controlled paths for sensitive operations like `state save`. | LLM | SKILL.md:60 | |
| HIGH | Excessive Permissions granted by Bash(agent-browser:*) The declared permission `Bash(agent-browser:*)` allows the LLM to execute any command starting with `agent-browser` with arbitrary arguments. Given the extensive capabilities of `agent-browser` (including arbitrary JavaScript execution, filesystem access, network manipulation, and loading custom executables/extensions), this permission grants an extremely broad attack surface. An attacker can leverage this to perform almost any action that the `agent-browser` tool itself is capable of, leading to severe system compromise or data breaches. Narrow the `Bash` permission scope to a strict allowlist of `agent-browser` subcommands and argument patterns. For example, instead of `Bash(agent-browser:*)`, specify `Bash(agent-browser:open,snapshot,click)` and define allowed argument patterns for each. Alternatively, wrap `agent-browser` calls in a more controlled script that sanitizes inputs and restricts capabilities. | LLM | Manifest (frontmatter JSON) | |
| HIGH | Loading Arbitrary Browser Executables or Extensions The `agent-browser --executable-path <p>` and `agent-browser --extension <path>` options allow specifying custom browser executables or loading arbitrary browser extensions. If an attacker can control the `<p>` or `<path>` arguments, they could instruct the skill to load a malicious browser executable or a compromised extension, leading to arbitrary code execution on the host system or within the browser environment. Restrict the use of `--executable-path` and `--extension` options. If custom executables or extensions are required, ensure their paths are strictly controlled and validated, ideally pointing to trusted, pre-approved binaries or extensions. | LLM | SKILL.md:239 |
Scan History
Embed Code
[](https://skillshield.io/report/974281f2b0b4ebdd)
Powered by SkillShield