Skills
skills/gregpr07/browser-use/browser-use/Gen Agent Trust Hub

browser-use

Fail

Audited by Gen Agent Trust Hub on Apr 20, 2026

Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill includes a python command (browser-use python "statement") that allows the agent to execute arbitrary Python code. This is documented as a feature for advanced CDP control but provides a direct path for executing arbitrary logic on the host system. Additionally, browser-use eval "js code" allows for arbitrary JavaScript execution within the browser context.
  • [DATA_EXFILTRATION]: Several commands facilitate the extraction of sensitive information. browser-use cookies export <file> can be used to harvest session tokens and authentication cookies. browser-use screenshot and browser-use get html allow for capturing sensitive data displayed on pages. The upload command can then be used to send these files to external sites.
  • [EXTERNAL_DOWNLOADS]: The browser-use profile update command downloads and updates external binaries. While targeting the vendor's own infrastructure, the execution of downloaded binaries is a sensitive operation.
  • [PROMPT_INJECTION]: The skill is highly vulnerable to Indirect Prompt Injection (Category 8). It is designed to browse arbitrary websites and ingest their content into the agent's context.
  • Ingestion points: Web content is ingested via browser-use state, browser-use get text, and browser-use get html (SKILL.md).
  • Boundary markers: The instructions do not define clear boundary markers or instructions for the agent to ignore commands found within web content.
  • Capability inventory: The agent has access to powerful tools including arbitrary Python execution (python), file system access (upload, cookies export), and network exposure (tunnel) across all scripts.
  • Sanitization: No sanitization or validation of the ingested web content is performed before it is processed by the agent.
  • [CREDENTIALS_UNSAFE]: The browser-use connect and browser-use --profile commands allow the agent to access the user's real Chrome instance, including all logged-in sessions for services like Gmail, GitHub, and internal corporate tools. This poses a high risk if the agent is manipulated into performing actions on behalf of the user.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 20, 2026, 12:13 AM
Security Audit — agent-trust-hub — browser-use