browser-use
Fail
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The
.claude/settings.local.jsonfile contains permissions allowing the agent to executedefaults write:*, which provides the capability to modify system-level settings and configurations on macOS. - [REMOTE_CODE_EXECUTION]: The configuration file explicitly grants unrestricted access to
python3:*, enabling the agent to execute arbitrary Python code on the host machine independently of the browser automation tool's constraints. - [DATA_EXFILTRATION]: The skill facilitates the extraction, export, and cloud-syncing of browser cookies, specifically targeting 'real' browser profiles. This functionality can expose active login sessions and sensitive authentication tokens.
- [COMMAND_EXECUTION]: The
browser-useCLI includes features for dynamic execution of JavaScript (browser-use eval) and Python (browser-use python) within the persistent browser session. - [PROMPT_INJECTION]: Because the skill is designed to navigate and extract data from arbitrary web pages, it possesses a significant attack surface for indirect prompt injection, where malicious content on a website could override agent instructions.
- [REMOTE_CODE_EXECUTION]: The installation instructions suggest using
uvxanduv pipto download and install thebrowser-usepackage, which involves fetching and executing code from an external registry.
Recommendations
- AI detected serious security threats
Audit Metadata