Browser Use Box Agent Security Risks

Computer Agents browser-use.com Exposed Giants
AI RISK QUADRANT POSITION DEFENSE CONTROLS (2) ATTACK SURFACE (6.9) EXPOSED GIANTS FORTIFIED LEADERS HUMBLE PROVIDERS TIGHT OPERATORS
AIRQ Score
4.25
High
Attack Surface
6.9
High
Blast Radius
7.25
Critical
Defense Controls
2
Critical
About The Agent

Browser Use Box is a self-hosted computer agent that runs as an always-on systemd daemon on the operator's VPS, combining Claude Code reasoning with Browser Harness web automation and unrestricted shell access. The agent accepts commands via Telegram, SSH, and web terminal, operating continuously without human-in-the-loop gates. Its default configuration grants the reasoning loop full filesystem, network, and credential access on the host, creating an attack surface where any successful prompt injection translates directly into operator-scoped system compromise.

About the AI Risk Quadrant

Exposed Giants identifies agents whose blast radius significantly outpaces their defensive posture. Browser Use Box lands here because its confirmed exploitation surface and host-level blast potential combine with near-absent vendor-supplied controls in the self-hosted deployment model. The operator inherits a system that can reach every resource on the host and every endpoint on the network while offering almost nothing built-in to detect, contain, or throttle a compromised reasoning loop acting autonomously around the clock.

1 Key Risks

The most critical security risks an operator inherits when deploying this agent in its documented default configuration. This agent combines unrestricted host-level execution with confirmed input-bypass vulnerabilities and near-absent default controls across all five defense dimensions.

Key Input Risks
The agent ingests attacker-controlled bytes from rendered web pages, Telegram messages, and SSH commands with no input validation or injection filtering on the default configuration. A confirmed domain-allowlist bypass enables navigation to restricted internal services past the only documented restriction [1][4][5].
Key Execution Risks
Shell commands execute with full operator-level privileges directly on the host VPS without any sandbox or isolation boundary in the documented default deployment. A sibling product in the same codebase confirmed remote code execution via unsafe deserialization [3][9].
Key Action Risks
The always-on daemon model fires autonomous actions triggered by Telegram messages without per-action operator approval, including file writes, network requests, and credential reads on the host. No allowlisted command set or resource-scope budget constrains what executes unattended [7][8].
Key Output Risks
Agent outputs flow to Telegram channels, web terminals, and MCP-connected external tools with no data-loss-prevention filtering or content classification in the documented defaults. The absence of output guardrails leaves credential exfiltration channels open to any reasoning-loop compromise [8][12].
Key Monitoring Risks
No agent-action-level telemetry or behavioral anomaly detection exists in the default self-hosted deployment; the systemd journal captures only process lifecycle events. Compromise detection depends entirely on operator-provisioned external infrastructure with no vendor-supplied integration [10][13].

2 AIRQ Scores

The four headline scores quantify how exposed the agent is, how damaging a successful attack would be, and how much the agent’s own controls reduce that risk. The composite score reflects an agent whose unrestricted blast potential is barely offset by its minimal default defense posture.

AIRQ Metrics

Browser Use Box places in the Exposed Giants quadrant with an Attack Surface of 6.90, Blast Radius of 7.25, and Defense Controls of 2, indicating high exposure with minimal vendor-supplied mitigation.

Attack Surface and Blast Radius are scored out of 10; Defense Controls out of 15; the AIRQ composite integrates all three into a single operator-facing risk ratio.

Metric Score Comments
AIRQ Score 4.25 The composite indicates that hardening priority is high because blast exposure substantially exceeds the controls in place to contain it.
Blast Radius 7.25 / 10 Near-maximum blast driven by unrestricted code execution, full network reach, and credential access on the operator host without containment boundaries.
Attack Surface 6.9 / 10 Broad exposure across all ten surfaces driven by confirmed input-bypass vulnerabilities and unrestricted tool execution in a trifecta-complete configuration.
Defense Controls 2 / 15 Minimal vendor-supplied controls limited to basic process monitoring with no isolation, filtering, or approval gates in the documented default deployment.

3 Attack Surface

Attack surfaces are the entry points and interaction patterns through which adversarial input can reach the agent’s reasoning loop and steer its behavior. The agent's reasoning loop ingests untrusted web content, operator commands, and persistent filesystem state with no filtering or validation layer between input channels and tool execution.

Attack Surface Metrics

Higher scores indicate surfaces where the agent processes attacker-reachable input with fewer restrictions, with maximums reflecting confirmed bypass or absence of any gate.

Each row names an input surface, its score reflecting how directly attacker-controlled bytes reach the reasoning loop, and comments cite the anchoring evidence.

Surface Score Comments
User Input 4 / 4 Telegram, SSH, and web terminal accept commands with no schema validation; a confirmed domain-allowlist bypass demonstrates input reaches restricted services [2][5].
External Data 4 / 4 Browser Harness renders arbitrary web pages whose DOM feeds the reasoning loop; the same domain bypass enables ingestion from internal network services [2][4].
Memory 3 / 4 Persistent state in the home directory survives reboots with CLAUDE.md auto-loaded each session; no integrity verification prevents context poisoning [8].
Reasoning 3 / 4 Claude Code reasoning operates with full context of the operator filesystem and shell history without an independent verification or constraint layer [8].
Planning 3 / 4 Autonomous multi-step task decomposition runs via the always-on daemon without intermediate human approval gates in the documented default [8].
Tool Execution 4 / 4 Unrestricted shell runs with operator privileges on the host VPS; a sibling product confirmed remote code execution via unsafe deserialization in shared code [3][8].
Orchestration 3 / 4 Systemd daemon with browser-keeper and ttyd services maintains continuous operation with automatic restart and no anomaly-triggered containment [8].
Inter-Agent 2 / 4 MCP connectivity via cloud endpoint enables external tool integration; community discussion confirms prompt injection as the primary cross-agent risk vector [11][12].
Output Processing 3 / 4 Rich browser output and Telegram messaging transmit agent-generated content with no output filtering or data-loss prevention on the documented defaults [8].
Configuration 4.5 / 4 The allowed_domains mechanism — the only configuration-level security control — is bypassable via userinfo in the URL authority component [1].

The Lethal Trifecta is triggered when an agent processes untrusted content, accesses private data, and communicates externally in the same session — the three conditions that turn an isolated prompt injection into full-chain exfiltration. Browser Use Box reads arbitrary web DOM through Browser Harness, holds operator credentials and filesystem data in its execution context, and transmits freely over Telegram and unrestricted HTTP.

Lethal Trifecta · Complete (3 of 3)

Browser Use Box exhibits all three of these conditions in its documented default configuration:

  • Untrusted input — Browser Harness processes arbitrary page DOM including attacker-injectable elements such as ads and third-party scripts on every navigation [4].
  • Sensitive data — The shell user accesses API keys, SSH credentials, and operator filesystem data stored as environment variables and home-directory artifacts [8].
  • External egress — Unrestricted outbound HTTP, Telegram messaging, and MCP endpoint connectivity provide multiple exfiltration channels with no egress filtering [1].

4 Blast Radius

The blast radius is what an attacker who controls the agent can reach — which systems they touch, which credentials they read, and which actions they take without operator approval. Compromise of the agent's reasoning loop grants the attacker the same access as the operator's shell user — full filesystem, unrestricted network, and credential material without containment.

Blast Radius Metrics

Higher blast scores reflect factors where the agent's default privileges enable immediate attacker impact without requiring privilege escalation beyond the initial reasoning-loop compromise.

Each row maps an impact factor to the agent's documented default capability, scoring how far a compromised reasoning loop can reach in that dimension.

Factor Score Comments
Code execution 3 / 4 The agent executes arbitrary shell commands on the host with operator privileges; the vendor's sandbox blog confirms this is the intended default for self-hosted deployments [9].
File system access 3 / 4 The bux user has read-write access across the home directory and operator filesystem; persistent storage enables planted payloads to survive reboots [8].
Network access 4 / 4 Unrestricted network access with a confirmed domain-allowlist bypass extends reach to internal and localhost services past the only documented restriction [1].
Credential access 3 / 4 API keys and tokens stored as environment variables are accessible to the shell user executing agent commands without additional privilege escalation [7].
Autonomous action 3 / 4 The daemon model with systemd auto-restart and Telegram-triggered unattended operation enables continuous autonomous execution without operator presence [7].
Deployment access 1 / 4 Shell access can invoke deployment commands if configured, but no dedicated deployment tooling or CI/CD integration is preinstalled in the default configuration [8].

5 Defense Controls

Defense controls are what the agent’s own architecture does to detect, contain, and report attacks before they reach the operator’s systems. The vendor documents sandbox infrastructure for the cloud offering but ships no isolation, filtering, or detection controls in the self-hosted Box deployment by default.

Defense Controls Metrics

Higher defense scores indicate stronger vendor-supplied controls at default; the near-zero scores here reflect documented absence rather than undiscovered controls.

Each component is scored on a zero-to-three inverted scale where higher values indicate stronger vendor-implemented protections active at default.

Component Score Comments
Input Guardrails 0 / 3 No input validation or prompt-injection detection exists at default; the sole documented restriction was bypassed per the confirmed advisory [1][6].
Execution Isolation 0 / 3 No sandbox or isolation boundary exists in the self-hosted deployment; the vendor blog documents micro-VM isolation only for the cloud offering [9].
Action Controls 1 / 3 Basic Telegram notification provides after-the-fact visibility but no pre-execution approval gate or allowlisted command set constrains autonomous actions [8][12].
Output Guardrails 0 / 3 No output filtering, content classification, or data-loss prevention exists in the documented defaults for any output channel [8].
Monitoring 1 / 3 Systemd journal captures process lifecycle only; the SOC 2 scope covers cloud infrastructure and does not extend to self-hosted Box telemetry [10].

6 Hardening Tips

Concrete actions an operator can take to reduce the risks reported above, grouped by which defense control each tip strengthens. Operators should prioritize breaking the trifecta chain by adding input filtering, execution isolation, and egress controls to the self-hosted deployment.

Input Guardrails

Input guardrails intercept adversarial content before it reaches the reasoning loop.

Input Guardrails
  • Policy Require all Telegram-initiated tasks to pass through a human-approval queue before reaching the agent reasoning loop — counters unfiltered command injection.
  • Configuration Pin browser-use to version 0.1.45 or later and configure allowed_domains with a secondary URL validator rejecting userinfo-bearing authorities — counters the domain bypass [13].
  • Engineering Deploy a prompt-injection classifier between Browser Harness output and the Claude reasoning input to flag injected instructions in rendered DOM content.

Execution Isolation

Execution isolation contains what a compromised agent can do on the host.

Execution Isolation
  • Policy Mandate that all self-hosted Box deployments run inside a container or micro-VM with a read-only root filesystem — counters unrestricted host execution.
  • Configuration Configure Docker with cap-drop ALL and a seccomp profile restricting system calls to the minimum set for browser automation — counters arbitrary syscall access.
  • Engineering Implement the vendor-documented Unikraft micro-VM pattern for the self-hosted deployment with the control plane holding all credentials externally.

Action Controls

Action controls govern which tools and actions the agent can invoke autonomously.

Action Controls
  • Policy Require operator confirmation via Telegram reply for any action involving credential reads, network connections to new hosts, or file deletion.
  • Configuration Configure an allowlisted command set blocking destructive operations and credential-reading commands from the agent shell by default.
  • Engineering Implement session-level resource budgets that trigger automatic suspension when file-write count, network bytes, or execution time exceeds thresholds.

Output Guardrails

Output guardrails inspect what the agent sends to other systems and users.

Output Guardrails
  • Policy Require all agent outputs to pass through a data-loss-prevention scan before delivery to Telegram or MCP endpoints — counters credential exfiltration.
  • Configuration Configure output content classification rules that quarantine responses containing API key patterns, filesystem paths, or internal network addresses.
  • Engineering Deploy rate limiting on Telegram sends and MCP calls to bound exfiltration bandwidth and trigger alerts on anomalous output volume.

Monitoring

Monitoring captures what the agent did and surfaces anomalies for review.

Monitoring
  • Policy Require integration with an external SIEM that receives agent-action-level telemetry for every shell command, file access, and network connection.
  • Configuration Enable structured logging of every agent action with command arguments, exit codes, and target paths forwarded to a centralized audit store.
  • Engineering Implement behavioral anomaly detection alerting on commands outside operator-initiated sessions and connections to previously unseen hosts.

7 References

The evidence base behind every score and finding in the profile, grouped by source type so the reader can verify any claim. Numbers in brackets throughout the report (e.g. [7, 13]) refer to entries below, listed in citation order.

Selected Vulnerabilities

  1. CVE-2025-47241 Domain allowlist bypass via userinfo in URL authority component (CVSS 4.0); patched in browser-use 0.1.45
  2. GHSA-x39x-9qw5-ghrf GitHub advisory for CVE-2025-47241; PoC demonstrates allowed_domains bypass via userinfo URL manipulation
  3. Pickle deserialization RCE in web-ui Unsafe pickle deserialization in browser-use/web-ui config upload path enables arbitrary code execution; fixed in web-ui v1.7

Selected Research

  1. MUZZLE adaptive red-teaming of web agents 37 end-to-end indirect prompt injection attacks validated on BrowserUse scaffold across four web apps
  2. Mind the Web security of web-use agents Task-aligned injection achieves over 80 percent attack success rate against Browser Use and four other web agents
  3. Mitigating prompt injections in browser use Anthropic documents residual prompt injection risk in browser-use scenarios; mitigations reduce success from 23.6 to 11.2 percent

Vendor Documentation

  1. Browser Use Box product page Vendor page documenting always-on Claude agent with Browser Harness and Telegram and SSH access as defaults
  2. Browser Use Box GitHub repository Open-source install script and systemd service definitions and CLAUDE.md context file for self-hosted deployment
  3. Secure scalable agent sandbox infrastructure Vendor blog describing Unikraft micro-VM isolation pattern for cloud agents; control plane holds credentials
  4. SOC 2 Compliance SOC 2 Type II for Browser Use Cloud; scope covers cloud platform not self-hosted Box deployment
  5. Browser Use quickstart documentation Library docs covering allowed_domains and sensitive_data filtering and sandbox deployment patterns

Other Sources

  1. GHSA-6jc4-v4m9-6hq9 discussion Community discussion confirms prompt injection as the underlying vulnerability class for browser agents
  2. litellm supply chain response Release 0.12.5 removed litellm from core dependencies after supply chain backdoor discovered March 2026