browser-use
Fail
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The
browser-use pythoncommand enables the execution of arbitrary Python code within a persistent session, allowing the agent to perform unrestricted operations on the host system. - [COMMAND_EXECUTION]: The
browser-use evalcommand allows for the execution of arbitrary JavaScript within the context of the browser, which can be used to manipulate web pages, bypass security controls, or extract sensitive information. - [DATA_EXFILTRATION]: The skill includes subcommands for exporting browser cookies (
browser-use cookies export) and syncing local browser profiles to a cloud service (browser-use profile sync), which facilitates the removal of sensitive session tokens and authentication data. - [EXTERNAL_DOWNLOADS]: The documentation encourages the installation of the
browser-use[cli]package from public registries usinguvxorpip, which involves downloading and executing code from an unverified third-party source. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its core functionality of ingesting and acting upon data from external web pages.
- Ingestion points: Untrusted data enters the agent's context through navigation and state inspection commands like
browser-use open,browser-use state, andbrowser-use get html(SKILL.md). - Boundary markers: There are no provided delimiters or instructions to the agent to disregard instructions embedded within the retrieved website content.
- Capability inventory: The skill possesses powerful capabilities including arbitrary code execution (
python,eval) and file system/network access for data export. - Sanitization: No sanitization or validation mechanisms are described for the content retrieved from external sources before it is processed by the agent.
Recommendations
- AI detected serious security threats
Audit Metadata