browser-use-agentcore
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The
scripts/browser_test.pyfile usessubprocess.check_callto executepip installcommands at runtime. This allows the skill to execute system-level commands to modify the environment without explicit user confirmation.\n- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill automatically downloads and installs Python packages (bedrock-agentcore,playwright,nest_asyncio,boto3) via theensure_dependenciesfunction. Automated installation of packages at runtime is a security risk as it can be used for dependency injection or to install malicious code.\n- [PROMPT_INJECTION] (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8).\n - Ingestion points: The
test_urlfunction inscripts/browser_test.pyingests untrusted data from external websites viapage.goto(url).\n - Boundary markers: None. There are no delimiters or instructions to ignore embedded commands in the processed web content.\n
- Capability inventory: The script can perform network requests via Playwright and write files to the local system (screenshots).\n
- Sanitization: None. Page titles and console errors are captured and returned directly to the agent without sanitization or escaping.
Audit Metadata