Trust Assessment
gemini-computer-use received a trust score of 80/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 2 medium, and 0 low severity. Key findings include Unrestricted URL navigation allows access to local files or internal networks, Arbitrary key combinations can trigger browser-level actions, Custom browser executable path via environment variable introduces supply chain risk.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unrestricted URL navigation allows access to local files or internal networks The `navigate` action allows the AI model to direct the browser to any URL provided in the `args["url"]`. This includes `file://` URLs, which could allow the model to read local files accessible by the browser process, or internal network addresses, leading to data exfiltration or internal network probing if the browser is not adequately sandboxed. While the documentation advises sandboxing, the code itself does not enforce or restrict this behavior. Implement strict URL validation within the `navigate` function to disallow `file://`, `data://`, and potentially other risky schemes. Consider allowing only HTTP/HTTPS and/or restricting navigation to a predefined set of domains. Ensure robust browser sandboxing is programmatically enforced or clearly documented as a critical prerequisite. | LLM | scripts/computer_use_agent.py:200 | |
| MEDIUM | Arbitrary key combinations can trigger browser-level actions The `key_combination` action allows the AI model to press any specified key combination using `page.keyboard.press(keys)`. This capability could be abused to trigger browser-specific shortcuts (e.g., Ctrl+S for saving pages, Ctrl+O for opening local files, F12 for developer tools, Alt+F4 for closing the browser) which might lead to unintended actions, data leakage, or disruption of the user's system if the browser is not properly isolated. Restrict the `keys` argument to a predefined whitelist of safe and necessary key combinations. Alternatively, ensure that the browser environment is sufficiently sandboxed to prevent these key combinations from affecting the host system or accessing sensitive resources. | LLM | scripts/computer_use_agent.py:228 | |
| MEDIUM | Custom browser executable path via environment variable introduces supply chain risk The script allows specifying a custom browser executable via the `COMPUTER_USE_BROWSER_EXECUTABLE` environment variable. If this environment variable is compromised or set to an untrusted executable, it could lead to the execution of arbitrary malicious code outside the intended browser context. While Playwright's `executable_path` parameter is designed for specifying a browser binary, allowing an arbitrary path via an environment variable without validation or warning increases the attack surface and introduces a supply chain risk if the environment is not secured. Add a prominent security warning in the documentation about the risks of using `COMPUTER_USE_BROWSER_EXECUTABLE` with untrusted paths. Consider implementing a whitelist of allowed executable paths or requiring explicit user confirmation if a non-default executable is specified. | LLM | scripts/computer_use_agent.py:270 |
Scan History
Embed Code
[](https://skillshield.io/report/d8cbdb1409db2bde)
Powered by SkillShield