browser-use
Fail
Audited by Gen Agent Trust Hub on May 13, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
browser-use pythoncommand (documented inreferences/cdp-python.md) enables the execution of arbitrary Python statements, providing a direct interface for system-level code execution in the agent's environment. - [REMOTE_CODE_EXECUTION]: The
browser-use evalcommand allows for the execution of arbitrary JavaScript within the browser context, which could be exploited if the browser interacts with malicious or compromised web pages. - [DATA_EXFILTRATION]: The skill facilitates the extraction of sensitive browser information, including cookies via
browser-use cookies exportand session data from user Chrome profiles using the--profileflag. - [CREDENTIALS_UNSAFE]: Connection to the user's primary browser through
browser-use connectexposes all logged-in accounts and private browser data to the skill's automation logic. - [EXTERNAL_DOWNLOADS]: The
browser-use profile updatecommand initiates a download of theprofile-usebinary from a remote source, presenting a risk of unverifiable code execution. - [PROMPT_INJECTION]: The skill presents a large attack surface for indirect prompt injection. Untrusted data enters the context through commands like
browser-use stateandbrowser-use get text(Ingestion points). There are no visible boundary markers or instructions to ignore embedded commands (Boundary markers). The skill possesses high-privilege capabilities including code execution, cookie extraction, and file access (Capability inventory), and there is no specified sanitization of retrieved web content (Sanitization).
Recommendations
- AI detected serious security threats
Audit Metadata