browser-use
Fail
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill repeatedly instructs the user and the agent to install the software using a highly insecure method: fetching a shell script from a remote URL (
https://browser-use.com/cli/install.sh) and piping it directly intobash. This bypasses integrity checks and allows the remote server to execute arbitrary code on the host system. - Evidence: Found in
SKILL.md(description and metadata) andreferences/setup.md. - [COMMAND_EXECUTION]: The skill provides the agent with the ability to execute arbitrary Python code via
browser-use pythonand JavaScript viabrowser-use eval. While these are features of the tool, they grant the agent extensive control over the local environment and the browser. - [DATA_EXFILTRATION]: The skill includes a
tunnelcommand (browser-use tunnel 3000) that exposes local network ports to the public internet. This creates a direct vector for data exfiltration or unauthorized remote access to local services. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection, as it frequently ingests untrusted data from the web.
- Ingestion points: Data is ingested via
browser-use state,browser-use eval, andbrowser-use get textinSKILL.md. - Boundary markers: There are no defined boundary markers or instructions to the agent to ignore potentially malicious instructions found within the scraped web content.
- Capability inventory: The skill utilizes the
Bashtool and thebrowser-useCLI to execute scripts and system commands. - Sanitization: No evidence of sanitization or filtering of external content is provided in the documentation or instructions.
Recommendations
- HIGH: Downloads and executes remote code from: https://browser-use.com/cli/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata