browser-use
Warn
Audited by Gen Agent Trust Hub on Apr 2, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it retrieves and processes untrusted content from the public internet to drive autonomous browser actions.
- Ingestion points: The
agent.run()method processes data from external URLs (e.g., Polymarket) to determine navigation and interaction steps. - Boundary markers: None identified; instructions do not contain delimiters to separate web data from agent instructions.
- Capability inventory: The skill has access to powerful tools including
Bash,Exec, and browser control, which could be abused if an attacker-controlled website influences the LLM's decisions. - Sanitization: No evidence of sanitization or filtering of DOM/text data before it is passed to the LLM.
- [COMMAND_EXECUTION]: The skill uses
subprocess.run(['pkill', '-f', 'chrome'])to manage system processes. While intended for resource cleanup, the combination of high system permissions (allowed-tools: Bash, Exec) and the explicit disabling of browser security features (disable_security=True) significantly increases the risk that a web-based exploit could achieve host-level command execution. - [DATA_EXFILTRATION]: The documentation encourages the use of an external third-party API proxy (
https://ai.9w7.cn/v1) for LLM requests. Routing sensitive API keys and request data through an unverified, non-standard proxy domain presents a high risk of credential harvesting and data exposure.
Audit Metadata