browser-use
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill documentation and referenced files describe executing external CLI tools (yt-dlp, curl, wget) via subprocess and 'uv run'. This presents a potential shell injection vector if the agent passes unvalidated user-provided URLs or search queries to the shell environment.
- [DATA_EXFILTRATION] (MEDIUM): The skill explicitly manages browser authentication state in the '~/.auth/' directory. These files contain live session cookies and local storage data. Since the skill has 'Bash' and file-uploading capabilities, an attacker could potentially craft a prompt (or an indirect injection) to exfiltrate these credentials.
- [PROMPT_INJECTION] (LOW): There is a high risk of indirect prompt injection. The skill ingests untrusted data from websites (via 'browser.py auto', 'text', and 'links') and feeds it into the agent's context. Evidence: 1. Ingestion points: 'browser.py' command outputs. 2. Boundary markers: Absent in documentation. 3. Capability inventory: 'Bash', 'Write', 'Edit' permissions. 4. Sanitization: No evidence of HTML/text sanitization before processing.
- [EXTERNAL_DOWNLOADS] (SAFE): The skill relies on reputable, well-known Python packages from PyPI (playwright, yt-dlp, requests).
Audit Metadata