ai-search-browser-use
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- REMOTE_CODE_EXECUTION (CRITICAL): Automated scanners detected a high-risk pattern 'curl -s http://localhost:9222/json | python3'. This pattern involves fetching content from the local debugger port and executing it directly via the Python interpreter, which allows for immediate, arbitrary code execution.
- COMMAND_EXECUTION (HIGH): The script 'scripts/browser_plan.py' constructs shell commands using string interpolation of a URL parameter in the '_open_command' function. An attacker providing a malformed URL containing shell metacharacters (e.g., escaping the single quote) can achieve arbitrary command execution on the host system.
- PROMPT_INJECTION / JS INJECTION (HIGH): In 'ai_query.py', user-provided input ('query_text') is directly interpolated into a JavaScript template literal and executed via 'Runtime.evaluate' in the browser. An attacker can use backticks to break out of the template string and execute arbitrary JavaScript code within the context of an authenticated session (Gemini/Qwen), leading to session hijacking.
- DATA_EXFILTRATION (HIGH): The skill is designed to scrape and return data from private AI chat sessions. Combined with the JS injection vulnerability, an attacker can silently exfiltrate user chat histories, session cookies, and personal information to an external server while the agent is 'querying' the AI.
Recommendations
- CRITICAL: Downloads and executes remote code from untrusted source(s): http://localhost:9222/json - DO NOT USE
- AI detected serious security threats
Audit Metadata