Trust Assessment
Agent Browser received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 2 critical, 2 high, 1 medium, and 0 low severity. Key findings include Arbitrary JavaScript Execution via `eval` command, Arbitrary File Write on Agent Host, Sensitive Browser Data Exfiltration.
The analysis covered 4 layers: dependency_graph, manifest_analysis, llm_behavioral_safety, static_code_analysis. The llm_behavioral_safety layer scored lowest at 3/100, indicating areas for improvement.
Last analyzed on February 18, 2026 (commit f68cca2b). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary JavaScript Execution via `eval` command The `agent-browser eval` command allows executing arbitrary JavaScript code within the context of the browsed page. If an attacker can control the JavaScript string passed to this command (e.g., through a malicious URL or user input), they can perform actions such as extracting sensitive data (cookies, local storage, form data), manipulating the DOM, or bypassing browser security policies. This is a direct code injection vulnerability within the browser environment. Avoid exposing the `agent-browser eval` command to untrusted input. If JavaScript execution is necessary, implement strict sanitization and validation of the input, or consider using a more sandboxed execution environment. Limit the agent's ability to construct arbitrary `eval` commands based on user input. | Unknown | SKILL.md:169 | |
| CRITICAL | Arbitrary File Write on Agent Host Several `agent-browser` commands (e.g., `screenshot`, `pdf`, `state save`, `record`, `trace`) allow writing files to arbitrary paths on the agent's host filesystem. If an attacker can control the file path argument, they could overwrite critical system files, write malicious scripts to sensitive locations, or exhaust disk space, leading to denial of service or further compromise of the agent's environment. Restrict the agent's ability to specify arbitrary file paths for write operations. Implement a whitelist of allowed directories or enforce a specific, isolated directory for all file outputs. Ensure that any user-provided filenames are strictly sanitized to prevent path traversal attacks. | Unknown | SKILL.md:109 | |
| HIGH | Sensitive Browser Data Exfiltration The `agent-browser cookies` and `agent-browser storage local` commands allow the agent to retrieve sensitive data such as authentication cookies and local storage entries from the active browser session. This data can contain session tokens, user preferences, and other personally identifiable information. An attacker could prompt the agent to retrieve this data from a user's web session and then exfiltrate it, leading to credential harvesting or session hijacking. Implement strict policies on when and how the agent can access browser cookies and local storage. Avoid allowing the agent to retrieve this data based on untrusted user input. If access is necessary, ensure the data is handled securely and not exposed or exfiltrated. | Unknown | SKILL.md:199 | |
| HIGH | Excessive Permissions / Broad Tool Access The skill declares `Bash(agent-browser:*)` permissions, granting the agent full control over the `agent-browser` CLI tool. This tool is highly powerful, enabling arbitrary JavaScript execution, arbitrary file system writes, network interception, and access to sensitive browser data. This broad access significantly increases the attack surface, as a compromised or manipulated agent could leverage these capabilities to perform malicious actions against the user's browsing session or the agent's host environment. Re-evaluate the necessity of granting full `Bash(agent-browser:*)` permissions. Consider if more granular permissions can be defined, or if specific dangerous commands (like `eval`, file writes to arbitrary paths, or sensitive data retrieval) can be explicitly disallowed or heavily restricted. Implement robust input validation and sandboxing for any commands that process untrusted input. | Unknown | Manifest:1 | |
| MEDIUM | Unpinned Dependencies in Installation Instructions The installation instructions `npm install -g agent-browser` and `pnpm install` (after cloning) do not specify exact versions for the `agent-browser` package or its dependencies. This practice introduces a supply chain risk, as future installations could pull a newer, potentially vulnerable, or even malicious version of the package or its transitive dependencies if they are compromised. This lack of pinning makes the skill susceptible to dependency confusion or malicious package updates. Pin all dependencies to specific versions (e.g., `npm install -g agent-browser@1.2.3`). For source installations, ensure that `pnpm install` is run against a `pnpm-lock.yaml` file that is committed to the repository, providing deterministic dependency resolution. Regularly audit and update dependencies to mitigate known vulnerabilities. | Unknown | SKILL.md:10 |
Scan History
Embed Code
[](https://skillshield.io/report/64b0a0627d8fb704)
Powered by SkillShield