browser-harness
Warn
Audited by Gen Agent Trust Hub on Jun 29, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the agent to clone the source code from
https://github.com/browser-use/browser-harness.gitto the local environment.\n- [REMOTE_CODE_EXECUTION]: After cloning, the agent is directed to install the package usingpip install -e .and execute Python scripts from the library, which constitutes running code from an external, untrusted source.\n- [COMMAND_EXECUTION]: The skill uses shell commands to launch Google Chrome with the--remote-debugging-portflag and to verify the setup usingcurlandpython -c.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its core function of processing untrusted web data.\n - Ingestion points: Data from web pages is ingested into the agent context via the Chrome DevTools Protocol (CDP) during navigation and inspection tasks.\n
- Boundary markers: There are no explicit instructions for the agent to use delimiters or ignore instructions found within the web pages it visits.\n
- Capability inventory: The agent has access to sensitive tools such as
Bash,Write, andEdit, which could be misused if the agent inadvertently follows instructions embedded in a malicious page.\n - Sanitization: The skill does not describe any mechanism for sanitizing or filtering the content retrieved from the browser before the agent acts upon it.\n- [REMOTE_CODE_EXECUTION]: The skill encourages the creation and use of 'domain skills'—external Python scripts located in
agent-workspace/domain-skills/—which are dynamically loaded and executed by the agent at runtime.
Audit Metadata