Dogfood

Name: agent-browser/dogfood
Author: vercel-labs

View on GitHub↗

Share on X Share on LinkedIn Share on Bluesky

100Critical

The skill is vulnerable to command injection via

ThreatsCI SM CS BC S HITL

Behavior Analysis

Description verified — behavior matches claim

Claims to do

Dogfood: Systematically explore a web application, find issues, and produce a report with full reproduction evidence for every finding.

Actually does

This skill uses `Bash` to execute commands, primarily leveraging the `agent-browser` tool. It navigates to a user-provided `TARGET_URL`, interacts with web elements (fills forms, clicks buttons), takes screenshots, records video, and captures browser console logs and errors. It saves all collected evidence (screenshots, videos, authentication state) and a markdown report into a local output directory.

Threat Analysis

AI Agent Traps ↗Scanned 4/14/2026

Content InjectionPerceptionclean

Semantic ManipulationReasoningclean

Cognitive StateMemory & Learning1 finding

Behavioural ControlAction3 findings

SystemicMulti-Agent Dynamics1 finding

Human-in-the-LoopHuman Overseerclean

Skill Info

Namevercel-labs/agent-browser/dogfood

Registrygithub

Versiondb29d5feade8

PURLpkg:github/vercel-labs/agent-browser@db29d5feade8?skill=dogfood

Stars29,298

Installs21,000

Source

Repository ↗SKILL.md ↗

SHA-256c86db6b33c8f...

SHA-1e4be2ceb6053...

MD5b89c241f9d63...

TLSHad2294ef3d29...

ssdeep192:zptVbQ4c...

Size10,605 bytes

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

GitHub

https://github.com/vercel-labs/agent-browser/tree/main/skills/dogfood

21,000 installs

Claude CodeDocs

/plugin marketplace add vercel-labs/agent-browser

/plugin install dogfood@vercel-labs/agent-browser

Skills.shDocs

npx skills add https://github.com/vercel-labs/agent-browser --skill dogfood

Assessments (3)

AI Agent Traps ↗

Command Injection via User-Controlled Parameterscriticalcommand execution

The skill executes Bash commands using user-controlled parameters such as `{OUTPUT_DIR}`, `{TARGET_URL}`, `{EMAIL}`, and `{PASSWORD}`. Without proper sanitization by the orchestrating system, these parameters could be exploited for arbitrary command injection.

90% confidenceline 47

Bash(agent-browser:*), Bash(npx agent-browser:*), mkdir -p {OUTPUT_DIR}/screenshots, cp {SKILL_DIR}/templates/dogfood-report-template.md {OUTPUT_DIR}/report.md, agent-browser --session {SESSION} open {TARGET_URL}

Sensitive Credential Handling and Storagehighcredential theft

The skill explicitly handles user-provided `{EMAIL}` and `{PASSWORD}` for authentication and saves the browser's authentication state to `{OUTPUT_DIR}/auth-state.json`. If this state file contains unencrypted credentials or session tokens and the output directory is not secured, it poses a significant risk of credential theft or session hijacking.

90% confidenceline 75

agent-browser --session {SESSION} fill @e1 "{EMAIL}", agent-browser --session {SESSION} fill @e2 "{PASSWORD}", agent-browser --session {SESSION} state save {OUTPUT_DIR}/auth-state.json

Web Application Reconnaissance Capabilitylowreconnaissance

The skill's core function is to systematically explore web applications, collect screenshots, videos, and console logs to identify issues. While intended for benign QA, this capability could be repurposed for malicious reconnaissance if the agent is directed to sensitive internal systems or attacker-controlled targets.

70% confidenceline 2

description: Systematically explore and test a web application to find bugs... Produces a structured report with full reproduction evidence -- step-by-step screenshots, repro videos, and detailed repro steps for every issue.

Supply Chain Risk from External Dependenciesmediumsupply chain

The skill relies on the `agent-browser` binary and external Markdown files (`references/issue-taxonomy.md`, `templates/dogfood-report-template.md`). A compromise of the `agent-browser` tool or manipulation of these referenced files could lead to altered agent behavior, biased instructions, or malicious actions.

80% confidenceline 47

allowed-tools: Bash(agent-browser:*), Read [references/issue-taxonomy.md], cp {SKILL_DIR}/templates/dogfood-report-template.md

Reduced User Confirmation (Autonomy Abuse)lowautonomy abuse

The skill instructs the agent to 'start immediately with defaults' and 'Do not ask clarifying questions' in certain scenarios. This pattern reduces human oversight and confirmation steps, which could be abused in a different context or with a compromised skill to perform unintended actions without explicit user approval.

70% confidenceline 23

If the user says something like "dogfood vercel.com", start immediately with defaults. Do not ask clarifying questions unless authentication is mentioned but credentials are missing.

Dependencies (1)

agent-browser.claude-plugin/marketplace.jsonnot scanned

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/github/vercel-labs/agent-browser/dogfood.svg)](https://mondoo.com/ai-agent-security/skills/github/vercel-labs/agent-browser/dogfood)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/github/vercel-labs/agent-browser/dogfood"><img src="https://mondoo.com/ai-agent-security/api/badge/github/vercel-labs/agent-browser/dogfood.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/github/vercel-labs/agent-browser/dogfood.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow