remote-browser
Warn
Audited by Gen Agent Trust Hub on Apr 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on the 'browser-use' CLI tool to perform all operations via Bash commands, including browser session management and element interaction.
- [REMOTE_CODE_EXECUTION]: The skill exposes commands for arbitrary code execution: 'browser-use eval' allows executing JavaScript within the browser context, and 'browser-use python' (with persistent state) allows for execution of arbitrary Python code in the sandbox.
- [DATA_EXFILTRATION]: Several features enable the exposure or extraction of data: 'browser-use tunnel' uses Cloudflare tunnels to expose local ports to the public internet; 'browser-use cookies export' and 'get' allow extraction of session data; 'browser-use upload' enables sending local files to remote servers.
- [PROMPT_INJECTION]: The skill's core function of navigating untrusted web content creates an indirect prompt injection surface where malicious site content could influence the use of powerful commands. 1. Ingestion points: web content retrieved via 'state', 'get html', and 'get text' in SKILL.md. 2. Boundary markers: Absent; no instructions exist to isolate or ignore embedded commands in processed web data. 3. Capability inventory: High-privilege operations including Python execution and port tunneling are available in SKILL.md. 4. Sanitization: No evidence of input validation or content filtering for data retrieved from web pages.
Audit Metadata