AgentReadyHomeAgent Listing

← co-browser/browser-use-mcp-server

co-browser/browser-use-mcp-server — agentic threat model

7.6AIVSS 7.6 · High

This agent presents a high risk profile due to its autonomous web-browsing capabilities, which expose it to indirect prompt injection from untrusted web content, combined with potential infrastructure risks from hosting Dockerized Chromium and VNC.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.8AARS uplift 0.74Factor sum 5.6/10Threat ×1.1Mitigation ×0.8
Autonomy of Action
0.90
Goal-Driven Planning
0.80
Self-Modification
0.10
Dynamic Tool Use
0.80
Persistent Memory
0.20
Contextual Awareness
0.70
Dynamic Identity
0.40
Multi-Agent Interactions
0.50
Non-Determinism
0.70
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The listing does not specify the underlying LLM used, but the model is highly vulnerable to indirect prompt injection and adversarial reprogramming when parsing arbitrary web content during autonomous browsing.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — No explicit RAG or vector database is mentioned, but the agent dynamically ingests and processes unstructured data from the live web, presenting a high risk of data poisoning and malicious payload delivery.

L3 · Agent Frameworks✓ mapped

Uses the browser-use framework to orchestrate multi-step web tasks. The primary threat is tool misuse and insecure tool integration, where malicious web pages can hijack the browser-use planning loop to perform unauthorized actions.

L4 · Deployment & Infrastructure✓ mapped

Runs Chromium inside Docker with a VNC server and SSE transport. Key threats include container escape, unauthorized VNC access to view active sessions, and lateral movement within the host network if the container is compromised.

L5 · Evaluation & Observability✓ mapped

Provides a VNC server for visual observation of the browser, but lacks automated guardrails, real-time prompt injection detection, or structured audit logging of LLM-to-browser actions.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — There is no mention of authentication, authorization, or transport security (e.g., TLS) for the SSE endpoint or VNC server, posing compliance and access control risks.

L7 · Agent Ecosystem✓ mapped

Exposed as an MCP server, allowing other LLMs and agents to orchestrate it. This introduces risks of cascading failures and trust abuse if a parent agent is compromised and instructs this agent to perform malicious web actions.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).