browser-use

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes commands that accept and demonstrate embedding secrets verbatim (e.g., "bu cloud login ", "bu cookies set ", and example chaining with a plaintext password via bu input), so an LLM generating commands or code from this skill could be asked to output secret values directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's core workflow and recipe system explicitly open arbitrary public URLs and extract page text (bu open , bu eval, bu get text in SKILL.md) and included recipes (recipes/grok_research.json, recipes/x_notifications.json) target X.com and pull user-generated content into recipe context (recipe.py uses extracted values in ctx and format_map to drive later steps), so untrusted third‑party page content is ingested and can influence subsequent tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The wrapper script auto-bootstraps at runtime and explicitly fetches+executes remote installers (curl -LsSf https://astral.sh/uv/install.sh | sh and on Windows irm https://astral.sh/uv/install.ps1 | iex), and the project also installs a required dependency from git+https://github.com/browser-use/browser-use.git on first run — both are runtime remote code fetches that will execute code locally.