Oathe Security Badge

Is al1enjesus/human-browser safe?

https://github.com/al1enjesus/human-browser

74
CAUTION

Human Browser is a legitimate browser automation library with concerning credential access behavior. While the core functionality appears benign, the skill inappropriately accesses sensitive system credential files during installation, which poses a security risk.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 40/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 80/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (4)

HIGH Accesses Sensitive Credential Files -60

The skill installation process accessed multiple sensitive credential files including SSH private keys, AWS credentials, Docker config, and GCP service account files. This is unusual behavior for a browser automation library.

MEDIUM Hardcoded API Credentials -20

The skill contains a hardcoded 2captcha API key that could be used for unauthorized CAPTCHA solving services, potentially leading to abuse.

LOW Bypass Security Mechanisms -30

The skill is explicitly designed to bypass web security measures like Cloudflare, DataDome, and bot detection systems, which could enable malicious automation.

LOW Directive Override Language -15

The skill uses strong directive language that could influence agent behavior beyond normal skill scope.