Back to skill

Security audit

Browser Use 2.0.0 Local

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate browser automation skill, but it grants broad browser, session, cloud, tunnel, and Python execution powers that need user review.

Install only if you need a powerful browser automation wrapper and are comfortable supervising it. Prefer a dedicated test browser profile, avoid exporting cookies, avoid Python mode and cloud REST passthrough unless explicitly needed, treat API keys as secrets, and only start tunnels for ports you intentionally want reachable from the internet.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill is described as browser automation, but it explicitly exposes `browser-use python` for arbitrary persistent Python execution. That materially expands capability from controlled browser interaction to general code execution, which can enable filesystem access, process execution, secret access, or chaining with browser state in ways users and policy controls may not expect.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The tunneling feature allows exposing local services through Cloudflare tunnels, which is outside the stated purpose of browser testing and page interaction. This can create unintended external network exposure of local development or internal services, potentially bypassing expected network boundaries and leaking sensitive data.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The cloud REST passthrough (`cloud v2 GET/POST ...`) provides broad remote API access that is more general than browser interaction and can be used to reach service capabilities not described in the skill's stated scope. This increases the attack surface and may allow unintended data transmission to external infrastructure or invocation of remote operations without adequate guardrails.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents use of real Chrome profiles with existing logins/cookies and also includes cookie export/import capabilities without clear privacy and account-impact warnings. In context, this can expose authenticated sessions, personal data, and reusable session material, especially because the skill is broadly invocable for common browsing tasks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation describes cloud browser connection and public tunneling without warning that page content, credentials, or local services may be transmitted to third-party infrastructure or exposed on the public internet. Because these features sit inside a general browser automation skill, users may trigger external exposure without understanding the network and privacy consequences.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.