browser-use
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill grants the agent the ability to execute arbitrary Python code via the
browser-use pythoncommand and JavaScript viabrowser-use eval. This allows for arbitrary code execution on the host machine within the persistent browser session environment. - DATA_EXFILTRATION (HIGH): The
--browser realflag allows the agent to access the user's actual Chrome profile, including cookies, saved passwords, and authenticated login sessions (e.g., email, financial sites). Combined with the ability to read page HTML and take screenshots, this enables the exfiltration of highly sensitive personal data. - INDIRECT_PROMPT_INJECTION (LOW): This category flags vulnerability surfaces where untrusted data could influence agent behavior.
- Ingestion points: The agent reads untrusted data from external web pages via
browser-use open,browser-use state, andbrowser-use extract. - Boundary markers: No explicit boundary markers or instructions to ignore embedded content are present in the provided tool descriptions.
- Capability inventory: The skill possesses high-risk capabilities including
browser-use python,browser-use eval, andbrowser-use run(autonomous agent tasks). - Sanitization: No sanitization or validation of external web content is described before the data is processed or used in further commands.
- DYNAMIC_EXECUTION (MEDIUM): The skill explicitly uses dynamic execution of strings as code (Python and JavaScript). While intended for automation, this mechanism is easily subverted if input strings are derived from untrusted web pages.
Recommendations
- AI detected serious security threats
Audit Metadata