Security Audit
vercel-labs/agent-browser:skills/slack
github.com/vercel-labs/agent-browserTrust Assessment
vercel-labs/agent-browser:skills/slack received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 1 critical, 1 high, 0 medium, and 0 low severity. Key findings include Excessively broad `agent-browser` permissions allow arbitrary browser actions, Skill enables extraction of sensitive Slack data.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on March 6, 2026 (commit aba23531). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Excessively broad `agent-browser` permissions allow arbitrary browser actions The skill declares `Bash(agent-browser:*)` and `Bash(npx agent-browser:*)` as allowed tools. This grants permission to execute any command provided by the `agent-browser` tool. The `agent-browser` tool is a powerful browser automation utility that includes commands such as:
- `agent-browser open <url>`: Allows navigation to any arbitrary URL, which could be exploited for phishing, drive-by downloads, or other malicious web interactions.
- `agent-browser execute <javascript>`: Allows execution of arbitrary JavaScript within the browser's context, enabling potential Cross-Site Scripting (XSS) attacks, credential harvesting (e.g., `document.cookie`), or other client-side exploits.
- `agent-browser download <url> <path>`: Allows downloading arbitrary files from the internet to the agent's filesystem, posing a risk of malware introduction.
While the skill's examples focus on benign Slack interactions, the broad permission allows an attacker to craft prompts that instruct the agent to perform these highly dangerous actions, extending far beyond the stated purpose of interacting with Slack. Restrict `agent-browser` permissions to a strict whitelist of necessary subcommands and arguments. For example, if only specific Slack URLs are intended, restrict `open` to those domains. If JavaScript execution is not required, disallow the `execute` command. Implement robust input validation and sanitization for any user-controlled input passed to `agent-browser` commands, especially for URLs or script content. | LLM | Manifest | |
| HIGH | Skill enables extraction of sensitive Slack data The skill explicitly uses `agent-browser get text @e_message_ref` and `agent-browser snapshot --json > output.json` commands. These commands are designed to extract content from the Slack browser session, which can include highly sensitive information such as private message text, channel names, user data, and other confidential communications. While the skill itself does not demonstrate sending this extracted data to external services, it provides the direct means for the agent to collect it. If the agent then processes this extracted data and transmits it to an external LLM, logging service, or other third-party endpoint, it could lead to unauthorized data exfiltration and privacy breaches. Implement strict data handling policies for any information extracted from sensitive applications like Slack. Ensure that extracted data is not transmitted to external LLMs or services without explicit user consent, proper anonymization, or redaction of sensitive details. Add clear warnings in the skill's documentation about the potential for sensitive data extraction and the need for careful handling. | LLM | SKILL.md:210 |
Scan History
Embed Code
[](https://skillshield.io/report/c47b54124245e346)
Powered by SkillShield