Trust Assessment
remote-browser received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 1 critical, 4 high, 0 medium, and 0 low severity. Key findings include Arbitrary Python Code Execution, Arbitrary JavaScript Execution in Browser, Broad Filesystem Read/Write Access.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on April 1, 2026 (commit e026a51f). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary Python Code Execution The skill explicitly allows the execution of arbitrary Python code via `browser-use python "code"` and `browser-use python --file script.py`. Given the `Bash(browser-use:*)` permission, an attacker can inject and execute any Python code. This grants full system access, including reading/writing files, accessing environment variables, and making network requests, leading to severe data exfiltration, command injection, and system compromise risks. Remove or severely restrict the `browser-use python` command. If Python execution is absolutely necessary, it must be sandboxed and its capabilities strictly limited to prevent arbitrary code execution and filesystem/network access. | LLM | SKILL.md:100 | |
| HIGH | Arbitrary JavaScript Execution in Browser The skill allows the execution of arbitrary JavaScript code within the browser context using `browser-use eval "js code"`. This enables an attacker to extract sensitive information from web pages (e.g., cookies, local storage, DOM content, form data), manipulate the page, or perform actions on behalf of the user. This is a significant data exfiltration and potential cross-site scripting (XSS) risk if the browser is used to visit untrusted sites. Remove or strictly sanitize the input to `browser-use eval`. If JavaScript execution is required, consider using a more controlled API that limits access to sensitive browser objects or data. | LLM | SKILL.md:80 | |
| HIGH | Broad Filesystem Read/Write Access The skill grants broad filesystem access through commands like `browser-use upload <index> <path>`, `browser-use cookies import <file>`, and `browser-use screenshot [path.png]`. These allow reading arbitrary files from the agent's system (e.g., for exfiltration via upload or cookie import) and writing files to arbitrary locations. This, combined with arbitrary Python execution, creates a significant data exfiltration and system manipulation risk. Restrict the paths that `browser-use` can access for file operations. Implement strict allow-listing for file paths or use a sandboxed environment that limits filesystem access. | LLM | SKILL.md:70 | |
| HIGH | Local Network Exposure via Cloudflare Tunnels The `browser-use tunnel <port>` command allows the agent to create Cloudflare tunnels, exposing local services running on specified ports to the public internet. This can lead to unauthorized access to internal services, data exfiltration, or remote code execution if vulnerable services are exposed. Restrict or remove the `browser-use tunnel` command. If tunnels are necessary, ensure that only explicitly approved ports can be exposed and that the exposed services are properly secured and isolated. | LLM | SKILL.md:110 | |
| HIGH | Credential and Sensitive Data Exfiltration from Browser The skill provides multiple commands to extract sensitive data from the browser, including `browser-use cookies get/export`, `browser-use get html/text/value/attributes`, and `browser-use screenshot`. These capabilities allow for credential harvesting (e.g., session cookies) and exfiltration of any sensitive information displayed or stored within the web pages. Implement strict data access policies within the browser environment. Limit the ability to export cookies or capture screenshots, and sanitize or redact sensitive information from page content before it is returned to the agent. | LLM | SKILL.md:92 |
Scan History
Embed Code
[](https://skillshield.io/report/f9ef086d367af38f)
Powered by SkillShield