browser-use

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md contains explicit Agent tasks and examples that open and scrape public websites (e.g., "打开 https://polymarket.com/event/fed-decision-in-march-885" in the "Polymarket 集成" and Quick Start sections), instructing the agent to read/interpret that third-party page content and even act (extract prices or execute trades), which clearly exposes it to untrusted user-generated/third-party content that could inject instructions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). Although browser-use is a general AI-driven browser automation tool, the skill prompt explicitly includes a "Polymarket 集成" section with an "执行交易" example that directs the agent to "连接钱包", "买入 $0.60 的 No", and "确认交易", and even shows passing sensitive_data like "wallet_address". Those examples demonstrate explicit capability to connect a crypto wallet and send on-chain or web-wallet transactions (i.e., execute financial transactions). This matches the Crypto/Blockchain (Wallets, Signing, Swaps) criterion for Direct Financial Execution.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (low risk: 0.30). The skill does not request sudo, create accounts, or edit privileged system files, but it explicitly instructs running system commands (pkill chrome), disables browser security, and reads/writes storage_state files — actions that modify host process and filesystem state without needing elevation, so it poses a moderate risk.