Trust Assessment
Agent Browser received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 1 critical, 2 high, 2 medium, and 0 low severity. Key findings include Arbitrary JavaScript Execution via agent-browser eval, Arbitrary File Upload via agent-browser upload, Sensitive Browser Data Access and Exfiltration.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 26/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary JavaScript Execution via agent-browser eval The skill is granted `Bash(agent-browser:*)` permissions, allowing it to execute the `agent-browser eval` command. This command is designed to execute arbitrary JavaScript code within the context of the browsed web page. An attacker could craft malicious JavaScript to exfiltrate sensitive data (e.g., cookies, local storage, DOM content), perform unwanted actions, or manipulate the page, leading to severe data exfiltration and integrity compromise. Strictly limit or remove the ability to execute `agent-browser eval` with untrusted input. If necessary, implement robust sanitization and validation for any user-provided JavaScript. Consider if arbitrary JS execution is truly essential for the skill's intended functionality. | LLM | SKILL.md:147 | |
| HIGH | Arbitrary File Upload via agent-browser upload The skill can execute `agent-browser upload @e1 file.pdf`. If the `file.pdf` argument is derived from untrusted user input, an attacker could instruct the agent to upload arbitrary files from the agent's host system to a web server. This poses a significant data exfiltration risk, allowing an attacker to steal sensitive local files. Ensure that file paths provided to `agent-browser upload` are strictly controlled and validated. Never directly accept untrusted user input for file paths. Limit the directories from which files can be uploaded to only those explicitly required and safe. | LLM | SKILL.md:69 | |
| HIGH | Sensitive Browser Data Access and Exfiltration The `agent-browser` tool provides commands such as `cookies`, `storage local`, `network requests`, and `state save` that can access and potentially exfiltrate sensitive browser data. This includes authentication tokens, session cookies, local storage content, and details of network traffic. If this information is returned to the user or saved insecurely, it could lead to credential harvesting or unauthorized access. Implement strict controls on what information from browser sessions can be accessed and returned to the user. Ensure that saved state files are stored securely with appropriate permissions and are not accessible to unauthorized entities. Filter or redact sensitive information from network request logs. | LLM | SKILL.md:125 | |
| MEDIUM | Unpinned Dependencies in Installation Instructions The installation instructions for the `agent-browser` CLI tool (e.g., `npm install -g agent-browser`, `pnpm install`) do not specify exact versions for dependencies. This introduces a supply chain risk, as a malicious update to the `agent-browser` package or any of its transitive dependencies could introduce vulnerabilities or backdoors. It also makes the skill vulnerable to typosquatting attacks if a similarly named malicious package is published. Pin exact versions for all dependencies in the installation instructions (e.g., `npm install -g agent-browser@1.2.3`). Consider using a lock file or a more robust dependency management strategy to ensure reproducible and secure installations. | LLM | SKILL.md:10 | |
| MEDIUM | Potential Shell Injection via Unsanitized Arguments The skill is granted `Bash(agent-browser:*)` permissions, allowing it to execute shell commands. Many `agent-browser` commands take arguments (e.g., URLs, text, selectors, file paths) that could originate from untrusted user input. If these arguments are not properly sanitized or quoted when constructing the shell command, an attacker could inject arbitrary shell commands, leading to command injection. Ensure that all user-provided inputs passed as arguments to `agent-browser` commands are rigorously sanitized and properly quoted to prevent shell injection. The LLM should be explicitly instructed to always quote arguments when constructing shell commands, especially those that might contain special shell characters. | LLM | SKILL.md:30 |
Scan History
Embed Code
[](https://skillshield.io/report/b813bc5c147e2aec)
Powered by SkillShield