browser-use
Warn
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill requests high-privilege 'Bash' and 'Exec' tools in its metadata, allowing it to execute arbitrary shell commands on the host system.
- [COMMAND_EXECUTION]: The example configuration for the browser profile includes 'disable_security=True'. This flag disables critical browser-level protections like the Same-Origin Policy (SOP), which can be exploited by malicious websites to access local files or execute cross-site attacks.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted content from external websites to drive AI decision-making.
- Ingestion points: Reads and interprets HTML and webpage content via the 'Agent' class (SKILL.md).
- Boundary markers: The provided examples do not use delimiters or instructions to prevent the agent from following malicious commands hidden in the web pages it visits.
- Capability inventory: The skill is granted 'Bash', 'Exec', 'Read', and 'Write' tools, which could be abused if the AI is manipulated by external content.
- Sanitization: There is no evidence of sanitization or validation of web content before it is processed by the LLM.
- [DATA_EXFILTRATION]: The skill handles sensitive information such as authentication state files ('polymarket_auth.json'), API keys, and cryptocurrency wallet addresses. The combination of browser access and file 'Write' permissions poses a risk of this data being leaked.
- [EXTERNAL_DOWNLOADS]: The skill suggests using non-standard third-party API providers ('cn.xingsuancode.com' and 'ai.9w7.cn') for LLM services, which are not verified vendors and could potentially intercept API keys or traffic.
Audit Metadata