browser-use
Fail
Audited by Gen Agent Trust Hub on Apr 15, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill provides native commands for arbitrary code execution.
browser-use python "statement"enables the execution of arbitrary Python code with persistent state across calls (File: references/cdp-python.md).browser-use eval "js code"allows for the execution of arbitrary JavaScript within the active browser context (File: SKILL.md). - [DATA_EXFILTRATION]: Facilitates the extraction of sensitive session data and user information.
browser-use cookies exportandbrowser-use cookies getallow for the programmatic retrieval of session cookies. The Python CDP bridge provides access to the Network.getCookies method for detailed cookie extraction (File: references/cdp-python.md).browser-use connectenables the agent to interact with the user's main Chrome profile, providing access to saved logins and authenticated sessions (File: SKILL.md).browser-use screenshotcan be used to capture sensitive information displayed on web pages. - [COMMAND_EXECUTION]: Provides a comprehensive CLI for system and browser management. It enables management of background daemons and browser sessions via the browser-use command.
browser-use tunnelutilizes Cloudflare's service to establish network tunnels and expose local ports to the internet (File: SKILL.md). - [CREDENTIALS_UNSAFE]: Manages sensitive authentication data in local storage.
browser-use cloud loginstores API keys in a local configuration file located at ~/.browser-use/config.json (File: SKILL.md). - [EXTERNAL_DOWNLOADS]: Fetches external components for updates.
browser-use profile updatedownloads and updates the profile-use binary from the vendor's official resources (File: SKILL.md). - [PROMPT_INJECTION]: The skill's architecture presents a surface for instructions embedded in external data (Indirect Prompt Injection). Ingestion points: Untrusted data enters the agent context via browser-use state, browser-use get html, and browser-use get text (File: SKILL.md). Boundary markers: No delimiters or safety instructions are present to distinguish between web content and agent commands. Capability inventory: The toolset includes arbitrary code execution (python, eval), cookie management, and network tunneling. Sanitization: There is no evidence of input validation or content filtering for data retrieved from the web.
Recommendations
- AI detected serious security threats
Audit Metadata