browser-use
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The
browser-use pythoncommand allows for the execution of arbitrary Python code within a persistent session, providing a direct path for executing malicious logic. - [REMOTE_CODE_EXECUTION]: The
browser-use evalcommand allows for the execution of arbitrary JavaScript code within the context of the active web page. - [DATA_EXFILTRATION]: The skill provides features for exporting browser cookies to local files (
browser-use cookies export) and syncing local Chrome profile cookies to the Browser-Use cloud (browser-use profile sync), which poses a high risk of sensitive session token exposure. - [EXTERNAL_DOWNLOADS]: The installation instructions require downloading and installing the
browser-usepackage and its dependencies (Chromium) from external repositories. - [COMMAND_EXECUTION]: The skill utilizes the
Bashtool to interact with the command line, enabling it to perform various system-level operations. - [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection due to its core function of processing untrusted web content.
- Ingestion points: Web page data is ingested through commands like
browser-use state,browser-use extract, andbrowser-use run. - Boundary markers: No specific delimiters or safety instructions are used to separate untrusted web content from agent instructions.
- Capability inventory: The skill possesses high-impact capabilities including arbitrary code execution (
python,eval) and sensitive data handling (cookies export). - Sanitization: There is no evidence of sanitization or filtering of the web content before it is processed by the AI agent.
Recommendations
- AI detected serious security threats
Audit Metadata