Browser Use 2.0.0 Local
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is a coherent browser-automation wrapper, but it grants broad browser, session-cookie, cloud/tunnel, and code-execution capabilities without clear scoping or approval boundaries.
Install only if you need powerful browser automation and are comfortable supervising it. Prefer a separate test browser profile, avoid using existing logged-in Chrome profiles, review every cookie/cloud/tunnel/Python action, and close all browser-use sessions when finished.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could interact with websites as the logged-in user, including viewing or changing account data, if asked or misdirected.
The skill can direct the agent to use a real Chrome profile containing existing authenticated sessions, giving it access to accounts the user is already logged into.
browser-use --profile "Default" open <url> # Real Chrome with Default profile (existing logins/cookies)
Use a dedicated test browser profile with no sensitive logins, and require explicit user confirmation before actions on authenticated sites.
The agent has broad ability to click, type, upload files, manipulate cookies, call cloud API passthroughs, and operate sessions through this CLI.
The allowed tool scope covers the entire browser-use command namespace, not just low-risk actions like opening pages or taking screenshots.
allowed-tools: Bash(browser-use:*)
Narrow the allowed commands where possible, and require user approval for uploads, authenticated-site changes, cookie operations, cloud calls, or destructive actions.
If invoked carelessly, the agent may run arbitrary local Python through the browser-use CLI rather than only performing browser actions.
The skill documents a browser-use subcommand that executes Python code with persistent variables, which is broader than ordinary browser clicking or extraction.
browser-use python "code" # Execute Python (variables persist across calls)
Avoid using the Python execution mode unless the user explicitly requests it and understands what code will run.
A local service or browser-related endpoint could be made reachable outside the machine if the tunnel command is used without care.
The documented tunnel feature can expose a local port through an external service, but the artifact does not describe authentication, intended ports, or data-boundary safeguards.
browser-use tunnel <port> # Start Cloudflare tunnel (idempotent)
Only start tunnels for specific user-approved ports, verify what is exposed, and stop tunnels when finished.
Security depends on which browser-use binary is installed locally, even though the skill package itself contains no runnable code.
The scanner could not inspect the actual browser-use CLI implementation; the skill relies on a locally installed external command.
No install spec — this is an instruction-only skill. No code files present — this is an instruction-only skill.
Install browser-use only from a trusted source, keep it updated, and verify the local binary before giving it access to real browser profiles or accounts.
Browser tabs, sessions, or authenticated state may remain active until the user or agent closes them.
The persistence is disclosed and there is a cleanup command, but users should notice that browser state continues beyond a single command.
A background daemon keeps the browser open across commands
Run browser-use close or browser-use close --all after sensitive work, and avoid leaving logged-in sessions open.