browser-use
Warn
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill requests high-privilege permissions including Bash and Exec, which allow the agent to execute arbitrary commands on the host system.
- [EXTERNAL_DOWNLOADS]: The documentation encourages the use of third-party LLM API gateways (cn.xingsuancode.com and ai.9w7.cn) instead of official providers. This configuration sends all task instructions and scraped webpage content to these unverified third-party services.
- [DATA_EXFILTRATION]: The skill manages sensitive browser session state files (e.g., polymarket_auth.json and paths in ~/.playwright-data/) which store authentication cookies and tokens. This data could be exposed if the agent is compromised via indirect injection.
- [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection (Category 8).
- Ingestion points: Reads and interprets content from arbitrary web pages (e.g., polymarket.com) during task execution.
- Boundary markers: No delimiters or instructions to ignore embedded commands are present in the task prompts.
- Capability inventory: The agent has access to Bash, Exec, and file system tools.
- Sanitization: There is no evidence of sanitization or filtering of the web content before it is processed by the LLM.
- [SAFE]: The provided code snippets include a configuration to disable browser security (disable_security=True). While intended to facilitate automation, this is a violation of security best practices that increases the risk of cross-site scripting (XSS) and other browser-based attacks.
Audit Metadata