browser-use
Warn
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill provides tools for comprehensive cookie management, including
browser-use cookies get,set, andexport. This allows the agent to access and potentially leak sensitive session tokens for authenticated social media accounts. - [REMOTE_CODE_EXECUTION]: The
browser-use evaltool enables the execution of arbitrary JavaScript within the browser context. Although the skill instructions provide guidelines against unsafe usage, this tool represents a significant execution vector that could be exploited if the agent is compromised. - [PROMPT_INJECTION]: The skill is designed to interact with and process untrusted user-generated content (posts, DMs, profiles) from social media platforms. This creates a large surface for indirect prompt injection attacks.
- Ingestion points: Untrusted data enters the context via
browser-use state,browser-use get html, andbrowser-use screenshot(SKILL.md). - Boundary markers: The skill includes a dedicated 'Prompt Injection Defense' section and a 'Domain Allowlist' to mitigate risks (SKILL.md).
- Capability inventory: The agent can perform authenticated actions like posting, messaging, and changing page state, and has the ability to execute code via
eval(SKILL.md). - Sanitization: There is no programmatic sanitization; the skill relies on instructional constraints to ignore commands found in data.
- [COMMAND_EXECUTION]: The skill relies extensively on the
browser-useCLI binary to perform system-level browser automation and interaction. - [DATA_EXFILTRATION]: The skill has the capability to capture full page HTML and screenshots (
browser-use screenshot,browser-use get html). In a compromised state, this functionality could be used to exfiltrate sensitive user data displayed on the screen or within the DOM.
Audit Metadata