100Critical
The skill enables arbitrary command execution, data exfiltration, and social engineering, while also introducing supply chain vulnerabilities through dynamic skill loading.
Behavior Analysis
Description verified — behavior matches claim
Claims to do
agent-browser: Browser automation CLI for AI agents. Uses Chrome/Chromium via CDP directly.
Actually does
This skill executes `agent-browser` commands via Bash, including installation and fetching skill definitions. It enables browser automation using Chrome/Chromium via the Chrome DevTools Protocol (CDP) to interact with websites, fill forms, click buttons, take screenshots, and extract data. It also supports specialized automation for Electron apps, Slack, Vercel Sandbox, and AWS Bedrock AgentCore.
Skill Info
Namevercel-labs/agent-browser/agent-browser
Registrygithub
Versionc201623710af
PURLpkg:github/vercel-labs/agent-browser@c201623710af?skill=agent-browser
Stars30,980
Installs221,500
Source
SHA-256eb4d564a7cd9...
SHA-1329e18f7c3d4...
MD5496c7748bdbd...
TLSHbc5151c5b00d...
Size2,477 bytes
Install
Assessments (2)
AI Agent Traps ↗Broad Bash command execution allowedcriticalcommand execution
The skill explicitly allows arbitrary `agent-browser` commands to be executed via Bash, granting extensive control over browser automation and potential system interaction if the CLI tool has such capabilities.
100% confidenceline 4
allowed-tools: Bash(agent-browser:*), Bash(npx agent-browser:*)
Data exfiltration and credential harvesting capabilitieshighdata exfiltration, credential harvesting
The skill's description explicitly mentions 'extracting data from a page' and 'login to a site', indicating capabilities that can be abused for exfiltrating sensitive information or harvesting user credentials.
90% confidenceline 3
description: ...extracting data...login to a site...
Social engineering via messaging capabilityhighsocial engineering
The skill enables 'sending Slack messages', which could be exploited by a malicious agent to perform social engineering attacks or spread misinformation within an organization.
90% confidenceline 3
description: ...sending Slack messages...
External skill loading introduces supply chain riskmediumsupply chain
The agent is instructed to load additional skills using `agent-browser skills get <name>`, which could introduce a supply chain vulnerability if the source of these skills is untrusted or compromised.
80% confidenceline 15
`agent-browser skills get <name>`
Version History (2)
Badge
Markdown
[](https://mondoo.com/ai-agent-security/skills/github/vercel-labs/agent-browser/agent-browser)HTML
<a href="https://mondoo.com/ai-agent-security/skills/github/vercel-labs/agent-browser/agent-browser"><img src="https://mondoo.com/ai-agent-security/api/badge/github/vercel-labs/agent-browser/agent-browser.svg" alt="Mondoo Skill Check" /></a>Image URL
https://mondoo.com/ai-agent-security/api/badge/github/vercel-labs/agent-browser/agent-browser.svgSecure your AI agents
Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.
- Continuous scanning of skills across all registries
- Policy enforcement before skills reach your agents
- Integration with your existing security workflow