Security Audit

vercel-labs/agent-browser:skills/agent-browser

github.com/vercel-labs/agent-browser

AI SkillCommit aba2353112ea

CRITICAL

Scanned 24 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

vercel-labs/agent-browser:skills/agent-browser received a trust score of 43/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 5 findings: 1 critical, 2 high, 2 medium, and 0 low severity. Key findings include Hidden network beacons / undisclosed telemetry, Sensitive environment variable access: $USER, Potential Command Injection in Bash Templates.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.

Last analyzed on March 6, 2026 (commit aba23531). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

85%

Static Code Analysis

93%

Dependency Graph

100%

LLM Behavioral Safety

48%

Behavioral Risk Signals

Network Access

2 findings

Filesystem Write

2 findings

Shell Execution

4 findings

Dynamic Code

1 finding

Excessive Permissions

2 findings

Security Findings5

Severity	Finding	Layer	Location
CRITICAL	Potential Command Injection in Bash Templates The provided Bash templates (`authenticated-session.sh`, `capture-workflow.sh`, `form-automation.sh`) directly interpolate user-controlled variables (e.g., `$LOGIN_URL`, `$STATE_FILE`, `$TARGET_URL`, `$OUTPUT_DIR`, `$FORM_URL`) into `agent-browser` commands. Although double quotes are used, a malicious input containing command substitution (e.g., `$(command)`) or newline characters could lead to arbitrary command execution on the host system. The `SKILL.md` also explicitly warns about shell quoting issues with the `eval` command, highlighting the general risk of unsanitized input in shell contexts. Implement robust input sanitization or validation for all variables sourced from untrusted input before they are used in shell commands. Consider using a more secure method for passing arguments to `agent-browser` that avoids direct shell interpolation, or strictly validate inputs against expected patterns (e.g., URL regex, safe file paths). For file paths, ensure they are within a designated, sandboxed directory.	LLM	templates/authenticated-session.sh:19
HIGH	Hidden network beacons / undisclosed telemetry Command output piped through base64 encoding Remove undisclosed network calls and telemetry. All outbound communication should be documented and necessary for the skill's stated purpose. BCC injection in email tools is almost always malicious.	Manifest	skills/agent-browser/SKILL.md:449
HIGH	Direct Credential Exposure in `authenticated-session.sh` Template The `authenticated-session.sh` template demonstrates passing `APP_USERNAME` and `APP_PASSWORD` environment variables directly as arguments to `agent-browser fill` commands. This method can expose sensitive credentials in process lists (e.g., `ps aux`) and potentially in shell history, making them vulnerable to harvesting by other processes or users on the system. While the `SKILL.md` recommends the more secure 'Auth Vault' and `password-stdin` methods, the template itself promotes a less secure practice. Modify the `authenticated-session.sh` template to exclusively recommend and demonstrate the use of `agent-browser auth save` with `--password-stdin` and `agent-browser auth login` for handling credentials. If direct `fill` is necessary, advise users to pipe passwords via stdin (e.g., `echo "$APP_PASSWORD" \| agent-browser fill @e2 --stdin`) or use other secure input methods that avoid command-line exposure.	LLM	templates/authenticated-session.sh:70
MEDIUM	Sensitive environment variable access: $USER Access to sensitive environment variable '$USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/agent-browser/SKILL.md:135
MEDIUM	Browser Session State Saved Unencrypted by Default in Template The `authenticated-session.sh` template saves browser session state to `./auth-state.json` using `agent-browser state save "$STATE_FILE"`. The `SKILL.md` documentation explicitly mentions the ability to "Encrypt state at rest" using `AGENT_BROWSER_ENCRYPTION_KEY`. However, the template does not utilize this encryption, meaning sensitive session tokens, cookies, and other browser state data could be stored unencrypted on the file system, making them vulnerable to unauthorized access if the host system is compromised. Update the `authenticated-session.sh` template to include instructions and an example of how to use `AGENT_BROWSER_ENCRYPTION_KEY` when saving browser state, or to explicitly warn users about the unencrypted nature of the saved state and recommend its use for sensitive sessions.	LLM	templates/authenticated-session.sh:84

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/9841f80bf0fcacef.svg)](https://skillshield.io/report/9841f80bf0fcacef)