browser-use
Fail
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The
browser-use pythoncommand allows for the execution of arbitrary Python code on the host system, enabling unauthorized host access and control. - [REMOTE_CODE_EXECUTION]: The
browser-use evalcommand enables arbitrary JavaScript execution within the browser context, allowing for manipulation of the DOM and potential data theft. - [DATA_EXFILTRATION]: The
browser-use profile synccommand facilitates the extraction of sensitive session cookies from local Chrome profiles and uploads them to a cloud-based service. - [CREDENTIALS_UNSAFE]: Use of the
--browser realflag grants the agent access to the user's primary browser profile, including all active login sessions and authentication tokens. - [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection. Ingestion points:
browser-use open,state, andget htmlingest untrusted content from arbitrary websites. Boundary markers: There are no mechanisms defined to prevent the agent from following instructions embedded in web content. Capability inventory: The agent possesses high-impact tools including host-level code execution (python), file exfiltration (profile sync), and authenticated browser access (--browser real). Sanitization: Web content is not sanitized before being processed by the agent. - [COMMAND_EXECUTION]: The skill relies on the Bash tool to execute CLI commands, providing a significant attack surface for command-line based exploits.
- [EXTERNAL_DOWNLOADS]: The installation instructions involve downloading the
browser-usepackage and its Chromium dependencies from external, third-party sources.
Recommendations
- AI detected serious security threats
Audit Metadata