Security Audit
browser-use/browser-use:skills/browser-use
github.com/browser-use/browser-useTrust Assessment
browser-use/browser-use:skills/browser-use received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 8 findings: 3 critical, 5 high, 0 medium, and 0 low severity. Key findings include Arbitrary Python Code Execution, Access to User's Default Browser Profile, Arbitrary File Upload via Web Forms.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on April 1, 2026 (commit e026a51f). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings8
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary Python Code Execution The skill allows execution of arbitrary Python code on the host system via `browser-use python "code"`. This grants full system access, enabling data exfiltration, command injection, and credential harvesting. An attacker could use this to read sensitive files, access environment variables, or make network requests to exfiltrate data. Remove or severely restrict the `browser-use python` command. If essential, implement strict sandboxing and allow only a predefined, safe subset of operations. Ensure any user-provided input to this command is heavily sanitized. | LLM | SKILL.md:109 | |
| CRITICAL | Access to User's Default Browser Profile The skill can open the user's 'Default' Chrome profile using `browser-use --profile "Default" open <url>`. This grants access to all sensitive data within that profile, including saved passwords, cookies, browsing history, and personal information, leading to severe privacy and security breaches. Disallow access to the 'Default' profile. Only permit the use of temporary, isolated browser profiles, or require explicit user confirmation for any profile access. | LLM | SKILL.md:155 | |
| CRITICAL | Arbitrary File Upload via Web Forms The `browser-use upload <index> <path>` command allows the skill to upload any local file from the host system to a web form. This is a direct data exfiltration vector, enabling an attacker to upload sensitive files (e.g., `~/.ssh/id_rsa`, `/etc/passwd`) to external services. Restrict file paths for uploads to a designated, sandboxed directory, or require explicit user confirmation for each upload operation. Ensure user-provided paths are sanitized to prevent directory traversal. | LLM | SKILL.md:79 | |
| HIGH | Arbitrary File Export (Cookies) The `browser-use cookies export <file>` command allows exporting sensitive browser cookies to any specified file path on the host system. This can lead to credential harvesting and data exfiltration if an attacker can control the `<file>` argument. Restrict file paths for cookie exports to a designated, sandboxed directory, or require explicit user confirmation. Ensure user-provided paths are sanitized to prevent directory traversal. | LLM | SKILL.md:101 | |
| HIGH | Arbitrary File Write (Screenshot) The `browser-use screenshot [path.png]` command allows writing a screenshot to any specified file path on the host system. This could be abused for denial of service (filling disk space) or to overwrite important files if the path is not properly sanitized and controlled by an attacker. Restrict file paths for screenshots to a designated, sandboxed directory, or require explicit user confirmation. Ensure user-provided paths are sanitized to prevent directory traversal. | LLM | SKILL.md:59 | |
| HIGH | Arbitrary JavaScript Execution in Browser The `browser-use eval "js code"` command allows execution of arbitrary JavaScript within the browser context. This can be used to extract sensitive data (e.g., cookies, local storage, form data), manipulate the DOM, or make unauthorized network requests from the browser's origin, potentially leading to data exfiltration or session hijacking. Restrict `eval` to a very limited set of safe operations, or remove it entirely. If necessary, ensure the browser context is isolated and cannot access sensitive user data. Sanitize any user-provided JavaScript code. | LLM | SKILL.md:88 | |
| HIGH | Cloud API REST Passthrough for Data Exfiltration The `browser-use cloud v2 POST /tasks '{"task":"...","url":"..."}'` command provides a generic REST passthrough to the `browser-use` cloud API. An attacker could craft malicious POST requests to exfiltrate data or trigger unintended actions if the cloud API has vulnerable endpoints or allows arbitrary data submission to external services. Restrict the allowed cloud API endpoints and parameters. Implement strict validation and authorization for all cloud API interactions, and require explicit user confirmation for sensitive operations. | LLM | SKILL.md:129 | |
| HIGH | Local Port Exposure via Cloudflare Tunnel The `browser-use tunnel <port>` command allows exposing arbitrary local ports to the internet via Cloudflare tunnels. This can inadvertently expose local services, databases, or other sensitive data to the public, creating a significant attack surface for an attacker to exploit. Require explicit user confirmation for tunnel creation, or restrict which local ports can be tunneled to only known safe services. Ensure user-provided port numbers are validated. | LLM | SKILL.md:137 |
Scan History
Embed Code
[](https://skillshield.io/report/0ec77acd661eaf80)
Powered by SkillShield