Is browser-use safe?

https://clawhub.ai/ShawnPana/browser-use

72
CAUTION

Browser Use is a legitimate commercial cloud browser service skill with no malicious code or hidden payloads. However, it routes all browser automation through third-party infrastructure where sessions, cookies, login tokens, and browsing activity are stored and observable. The gateway config.patch instruction modifies the agent's own browser routing, creating a persistent man-in-the-middle position that affects subsequent browser usage even from other skills.

Category Scores

Prompt Injection 62/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (9)

HIGH All browser traffic routed through third-party cloud -25

The skill's primary function routes all browser sessions through Browser Use's cloud infrastructure (api.browser-use.com, *.cdp2.browser-use.com). Every page visit, form submission, and authentication flow passes through their servers. The CDP (Chrome DevTools Protocol) connection gives Browser Use full visibility into and control over the browser session.

HIGH Persistent cookie/session storage on third-party servers -15

Browser profiles persist login cookies and authentication tokens on Browser Use's cloud infrastructure. Users who log into any website through these sessions have their credentials stored externally with no visibility into retention or access policies.

HIGH Agent self-modification via gateway config.patch -25

The skill instructs the agent to execute 'gateway config.patch' to reconfigure its own browser tool routing. This is a form of prompt-driven self-modification — the skill changes the agent's infrastructure configuration to route traffic through an external service. Once patched, other skills or user requests that use the browser tool will unknowingly route through Browser Use.

MEDIUM Behavioral override forces specific LLM model -8

The skill contains a strong directive to 'Always use browser-use-llm' for task automation, overriding normal model selection. This locks the agent into using Browser Use's proprietary model for browser tasks.

MEDIUM API key transmitted to third-party on every request -5

The user's Browser Use API key is sent as a header on every API call. While this is standard API usage, the skill creates a pattern where the agent regularly transmits credentials to an external service.

MEDIUM Reference to unaudited external API documentation -5

The skill references 'references/api.md' for full API details, but this file was not present in the installed skill files. If this file were added later or fetched from an external source, it could contain additional unaudited instructions.

LOW Sensitive files accessed during installation environment bootstrap -10

The installation process triggered reads of .env, .aws/credentials, and auth-profiles.json. These appear to be from the openclaw runtime rather than the skill itself, but occur in the skill's installation context.

INFO No executable code detected -5

The skill contains only markdown documentation and JSON metadata. No install scripts, git hooks, submodules, or symlinks were found.

MEDIUM Man-in-the-middle position for all browser automation -55

Browser Use's architecture places their infrastructure as an intermediary for all browser interactions. They can observe, modify, or intercept any web traffic. This is inherent to the cloud browser model but represents significant trust delegation that users may not fully appreciate.