browser-use
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The helper script
scripts/mcp-client.pyimplementssubprocess.Popenwithshell=Truein theStdioTransportclass, which could allow for execution of shell commands if the--stdioargument is controlled by untrusted data. - [EXTERNAL_DOWNLOADS]: The skill utilizes
npx @playwright/mcp@latestinscripts/start-server.shandSKILL.mdto fetch and run the Playwright MCP server from the official npm registry. Playwright is a well-known project from Microsoft. - [PROMPT_INJECTION]: The skill's ability to browse arbitrary URLs creates an attack surface for indirect prompt injection. Ingestion points: External website content accessed via
browser_navigateandbrowser_snapshot. Boundary markers: None identified. Capability inventory: Powerful browser tools likebrowser_run_codeandbrowser_clickare available to the agent. Sanitization: Web content is not sanitized before being presented to the agent. - [REMOTE_CODE_EXECUTION]: The
browser_run_codeandbrowser_evaluatetools allow for the execution of arbitrary JavaScript within the browser context, which is a form of dynamic execution intrinsic to the skill's purpose. - [DATA_EXFILTRATION]: The
browser_file_uploadtool allows the agent to interact with local files using absolute paths. An attacker could use indirect prompt injection on a web page to command the agent to upload sensitive local files to an external server.
Audit Metadata