browser-harness

Warn

Audited by Gen Agent Trust Hub on Jun 29, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructs the agent to clone the source code from https://github.com/browser-use/browser-harness.git to the local environment.\n- [REMOTE_CODE_EXECUTION]: After cloning, the agent is directed to install the package using pip install -e . and execute Python scripts from the library, which constitutes running code from an external, untrusted source.\n- [COMMAND_EXECUTION]: The skill uses shell commands to launch Google Chrome with the --remote-debugging-port flag and to verify the setup using curl and python -c.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its core function of processing untrusted web data.\n
  • Ingestion points: Data from web pages is ingested into the agent context via the Chrome DevTools Protocol (CDP) during navigation and inspection tasks.\n
  • Boundary markers: There are no explicit instructions for the agent to use delimiters or ignore instructions found within the web pages it visits.\n
  • Capability inventory: The agent has access to sensitive tools such as Bash, Write, and Edit, which could be misused if the agent inadvertently follows instructions embedded in a malicious page.\n
  • Sanitization: The skill does not describe any mechanism for sanitizing or filtering the content retrieved from the browser before the agent acts upon it.\n- [REMOTE_CODE_EXECUTION]: The skill encourages the creation and use of 'domain skills'—external Python scripts located in agent-workspace/domain-skills/—which are dynamically loaded and executed by the agent at runtime.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 29, 2026, 05:45 AM
Security Audit — agent-trust-hub — browser-harness