browser-use
Fail
Audited by Gen Agent Trust Hub on Apr 29, 2026
Risk Level: HIGHCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill documents and enables the use of the
browser-use python "statement"command, which allows for the execution of arbitrary Python code on the host system where the agent is running. - [CREDENTIALS_UNSAFE]: The CLI provides built-in commands to export browser cookies to local files (
browser-use cookies export) and includes documentation for harvesting cookies directly via Python CDP scripts, which can lead to the exposure of active session tokens. - [DATA_EXFILTRATION]: The skill includes functionality to create public URLs for local ports via the
browser-use tunnelcommand (utilizing Cloudflare), which could be used to expose internal services or exfiltrate data from the local environment. - [PROMPT_INJECTION]: The skill has a high exposure to indirect prompt injection (Category 8) because it ingests untrusted data from web pages while possessing powerful system-level capabilities.
- Ingestion points: Processes untrusted web content via
browser-use state,browser-use get html, andbrowser-use get textinSKILL.md. - Boundary markers: Absent. There are no instructions or delimiters defined to prevent the agent from executing instructions embedded in the web data it retrieves.
- Capability inventory: Arbitrary Python code execution, browser cookie harvesting, file uploads, and network tunneling.
- Sanitization: Absent. The skill does not implement validation or escaping for the data extracted from browsers before it is processed by the agent.
Recommendations
- AI detected serious security threats
Audit Metadata