browser-use
Fail
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill provides actions named evaluate and run_code that allow for the execution of arbitrary JavaScript and Playwright code within the user's browser. Since the browser session is already logged in, this capability can be exploited to perform unauthorized actions or steal sensitive information like session cookies and private data.
- [EXTERNAL_DOWNLOADS]: The run.py script fetches and runs the @playwright/mcp package from the NPM registry to facilitate browser communication.
- [COMMAND_EXECUTION]: The skill uses the subprocess.Popen method to execute commands for initiating the browser bridge.
- [DATA_EXFILTRATION]: The skill can capture screenshots, extract the page structure through snapshots, and execute code that can read any data visible in the browser or stored in the session, which is then returned to the calling agent.
- [CREDENTIALS_UNSAFE]: The skill requires and uses a sensitive environment variable named ALEX_BROWSER_BRIDGE_TOKEN to authenticate with and control the browser extension.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. 1. Ingestion points: navigate and snapshot actions in run.py read content from external websites. 2. Boundary markers: Absent. 3. Capability inventory: subprocess.Popen and browser code execution (evaluate, run_code) in run.py. 4. Sanitization: Absent.
Recommendations
- AI detected serious security threats
Audit Metadata