browser-harness
Fail
Audited by Gen Agent Trust Hub on Jun 27, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructs the agent to clone and install code from a third-party GitHub repository (https://github.com/browser-use/browser-harness.git). The installation command
pip install -e .executes the package's internal setup scripts, posing a risk of arbitrary code execution if the source repository is compromised or malicious. - [EXTERNAL_DOWNLOADS]: The skill setup process relies on downloading content from an external, non-whitelisted repository.
- [COMMAND_EXECUTION]: The skill provides instructions to enable Chrome's remote debugging port (
--remote-debugging-port=9222). This configuration allows the agent (and potentially other local processes) to programmatically control the browser, access all open tabs, and interact with the user's active sessions. - [PROMPT_INJECTION]: The skill allows the agent to ingest data from arbitrary external websites, creating a surface for indirect prompt injection. 1. Ingestion points: Web content and screenshots retrieved from the browser via CDP. 2. Boundary markers: Absent; no instructions are provided to help the agent distinguish between data and commands within web pages. 3. Capability inventory: Access to shell execution, file system modifications, and network tools. 4. Sanitization: No sanitization of ingested web content is performed.
- [DATA_EXFILTRATION]: The skill encourages the use of a third-party cloud service ("Browser Use Cloud") for browser tasks, which involves sending session data and potentially sensitive information to an external infrastructure.
Recommendations
- AI detected serious security threats
Audit Metadata