browser-harness

Fail

Audited by Gen Agent Trust Hub on Jun 27, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill instructs the agent to clone and install code from a third-party GitHub repository (https://github.com/browser-use/browser-harness.git). The installation command pip install -e . executes the package's internal setup scripts, posing a risk of arbitrary code execution if the source repository is compromised or malicious.
  • [EXTERNAL_DOWNLOADS]: The skill setup process relies on downloading content from an external, non-whitelisted repository.
  • [COMMAND_EXECUTION]: The skill provides instructions to enable Chrome's remote debugging port (--remote-debugging-port=9222). This configuration allows the agent (and potentially other local processes) to programmatically control the browser, access all open tabs, and interact with the user's active sessions.
  • [PROMPT_INJECTION]: The skill allows the agent to ingest data from arbitrary external websites, creating a surface for indirect prompt injection. 1. Ingestion points: Web content and screenshots retrieved from the browser via CDP. 2. Boundary markers: Absent; no instructions are provided to help the agent distinguish between data and commands within web pages. 3. Capability inventory: Access to shell execution, file system modifications, and network tools. 4. Sanitization: No sanitization of ingested web content is performed.
  • [DATA_EXFILTRATION]: The skill encourages the use of a third-party cloud service ("Browser Use Cloud") for browser tasks, which involves sending session data and potentially sensitive information to an external infrastructure.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jun 27, 2026, 04:58 AM
Security Audit — agent-trust-hub — browser-harness