remote-browser
Warn
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill provides the
browser-use pythoncommand which allows the execution of arbitrary Python strings or script files. This grants full access to the underlying Python environment and thebrowserobject state. - [REMOTE_CODE_EXECUTION]: The
browser-use evalcommand allows the execution of arbitrary JavaScript within the context of the remote browser page. - [COMMAND_EXECUTION]: The skill uses the
browser-useCLI to manage complex operations like starting agents (browser-use run) and managing tunnels, which are sensitive operations. - [DATA_EXFILTRATION]: The
browser-use cookies exportandimportcommands allow sensitive session data to be written to or read from arbitrary file paths on the system. - [DATA_EXFILTRATION]: The
browser-use tunnelcommand utilizes Cloudflare tunnels to expose local ports on the sandboxed machine to the public internet, which could lead to accidental exposure of internal services. - [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection due to its core function of processing untrusted web data.
- Ingestion points: Content enters via
browser-use open,browser-use state,browser-use get html, andbrowser-use get text. - Boundary markers: No boundary markers or instructions to ignore embedded commands are present in the documentation for the
runorstatecommands. - Capability inventory: The skill has access to
Bashviabrowser-useCLI, which includes arbitrary Python and JS execution and network tunneling. - Sanitization: There is no mention of sanitizing or escaping the HTML/text retrieved from websites before it is processed by the agent or the
runcommand.
Audit Metadata