browser-use-expert
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is designed to 'extract data from X' and 'automate web tasks'. This creates a significant attack surface where instructions embedded in external websites (hidden text, HTML comments) can be ingested and executed by the agent. Since the skill has direct command execution capabilities (click, input, select), a malicious website could take control of the agent's session.
- [Data Exposure & Exfiltration] (HIGH): The skill strongly mandates the use of
BROWSER_USE_API_KEYand a proprietaryChatBrowserUsemodel. This encourages the transmission of browser state, which may contain sensitive session data or PII, to a third-party service outside of the primary AI provider's trust boundary. - [Command Execution] (MEDIUM): The skill provides a set of CLI commands (
browser-use click,input, etc.) that the agent is instructed to run. While these are for browser automation, they allow the agent to perform actions on the local or remote system that can have side effects on web accounts or internal networks accessible via the browser. - [Prompt Injection] (MEDIUM): The 'Model Preference' section uses 'CRITICAL' markers to override default agent behavior, insisting on a specific third-party model over the user's or system's default preference.
Recommendations
- AI detected serious security threats
Audit Metadata