Skills
skills/bilalmk/todo_correct/browser-use/Gen Agent Trust Hub

browser-use

Warn

Audited by Gen Agent Trust Hub on Feb 19, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [Unverifiable Dependencies & Remote Code Execution] (LOW): The skill uses npx @playwright/mcp@latest to download and execute the MCP server. While npx is a dynamic execution pattern, the @playwright scope is managed by a trusted organization (Microsoft), which downgrades the severity per safety guidelines.
  • [Dynamic Execution] (MEDIUM): The tools browser_evaluate and browser_run_code allow for the execution of arbitrary JavaScript strings. This provides a mechanism for running dynamically generated code within the browser context.
  • [Indirect Prompt Injection] (LOW): As a browser automation tool, this skill is designed to ingest and process untrusted data from external websites.
  • Ingestion points: browser_snapshot, browser_evaluate, and browser_run_code ingest content from the DOM of navigated pages.
  • Boundary markers: No explicit boundary markers or instructions to ignore embedded instructions are present in the provided documentation.
  • Capability inventory: The skill can execute local commands (bash, python3), perform network operations (navigation), and execute JavaScript.
  • Sanitization: No evidence of sanitization or filtering of webpage content before it is processed by the agent.
  • [Command Execution] (LOW): The skill documentation suggests the use of bash scripts and python3 for managing the server lifecycle and interacting with the client, which involves local process execution.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 19, 2026, 07:19 AM