Security Audit
browser-use/browser-use:skills/browser-use
github.com/browser-use/browser-useTrust Assessment
browser-use/browser-use:skills/browser-use received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 2 high, 1 medium, and 0 low severity. Key findings include Arbitrary Python Code Execution, Credential Harvesting via Cookie Export, Unrestricted Access to Local Browser Profiles.
The analysis covered 4 layers: manifest_analysis, llm_behavioral_safety, static_code_analysis, dependency_graph. The llm_behavioral_safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 8, 2026 (commit c011d07e). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary Python Code Execution The skill exposes a `python` subcommand that allows executing arbitrary Python code on the host machine. If an attacker successfully performs a prompt injection (e.g., via a malicious website the browser visits), they could instruct the agent to execute malicious Python code, leading to Remote Code Execution (RCE) and full system compromise. Disable the `python` subcommand for the agent or strictly sandbox the Python execution environment. Ensure the agent cannot execute system-level commands via Python's `os` or `subprocess` modules. | Unknown | SKILL.md:118 | |
| HIGH | Credential Harvesting via Cookie Export The skill provides functionality to export cookies (`cookies export`) and sync full browser profiles (`profile sync`). This allows the extraction of sensitive session tokens and authentication cookies, which could be exfiltrated to an attacker, leading to account takeovers. Restrict access to cookie export and profile sync commands. If necessary, implement a strict allowlist of domains for cookie access and require explicit user confirmation for any export operations. | Unknown | SKILL.md:94 | |
| HIGH | Unrestricted Access to Local Browser Profiles The `--browser real` option allows the agent to attach to the user's actual Chrome instance, granting access to all active logins, browsing history, and saved passwords. This grants the agent excessive permissions to impersonate the user on any website. Default to isolated, headless browser instances (`--browser chromium`). Restrict the use of `--browser real` to specific, user-approved sessions or require explicit confirmation before attaching to a real browser profile. | Unknown | SKILL.md:43 | |
| MEDIUM | Arbitrary JavaScript Execution The `eval` command permits executing arbitrary JavaScript within the browser context. While scoped to the browser, this can be used to bypass client-side protections, steal data from the DOM, or perform unauthorized actions on web applications. Limit the use of `eval` to predefined, safe scripts or replace it with specific, safer API calls for required data extraction. | Unknown | SKILL.md:84 |
Scan History
Embed Code
[](https://skillshield.io/report/0ec77acd661eaf80)
Powered by SkillShield