Security Audit — browser-use/browser-use · openclaw Research conducted June 2026  ·  Sources: GitHub, official docs, NVD

Methodology: multi-source + counter-evidence search

Six Claims. Adversarially Verified.

Each claim about Browser Use and OpenClaw was checked against primary sources — GitHub, official docs, NVD — with counter-evidence searched for every one. Verdicts: green = confirmed, red = refuted, amber = uncertain.

Confirmed
3
Refuted
1
Uncertain
2
Total claims
6
CLAIM 01

Indexed accessibility tree vs. raw HTML

Claim 01 Uncertain
Statement "Browser Use sends a numerically-indexed serialized accessibility tree (not raw HTML) as the primary DOM representation to the LLM." UNCERTAIN
Key Evidence The claim is partially correct but imprecisely worded. Browser Use does not send raw HTML. It serializes interactive DOM elements into a selector_map — a dict[int, EnhancedDOMTreeNode] — where each interactive element is assigned a sequential integer index. The LLM receives a text rendering of this serialized structure, not a raw HTML dump.
Detail However, the representation is derived from a hybrid of three trees: the DOM tree, the Chrome Accessibility (AX) tree, and a Snapshot tree. The class EnhancedDOMTreeNode combines data from all three. The deep wiki for the project refers to this as a "DOM Processing Engine," not strictly an "accessibility tree." The serializer (browser_use/dom/views.py, DOMTreeSerializer) filters for interactive, visible nodes and assigns sequential integer indices — but the primary source is the DOM tree augmented with AX data, not a pure accessibility tree.
Counter-evidence

The claim says "accessibility tree" as if it is the sole or primary source. One technical source (deepwiki.com on browser-use) explicitly states: "The documentation does not describe this as an accessibility tree. Rather, it's part of the 'DOM Processing Engine'." The numeric indexing part is confirmed; the "accessibility tree" label is a simplification.

Sources

CLAIM 02

sensitive_data redacts only pre-registered values

Claim 02 Confirmed
Statement "Browser Use's sensitive_data parameter only redacts values you explicitly pre-register; it has NO automatic detection of passwords, SSNs, or credit card numbers." CONFIRMED
Key Evidence The official example at browser_use/examples/features/sensitive_data.py demonstrates a manual domain-keyed dictionary: sensitive_data = {'httpbin.org': company_credentials}. The developer must explicitly map credential names to domains. The model sees placeholder keys like x_name and x_password — it never sees values — but only for the keys you register.
Detail Official docs describe sensitive_data as a "Dictionary of sensitive data to handle carefully," with no mention of automatic PII pattern detection. No changelog entry in the browser-use releases refers to regex-based or heuristic auto-detection of passwords, SSNs, or credit card numbers. Known bugs (Issue #713, Issue #695, Issue #1062) all concern the explicit-registration mechanism failing in edge cases — none reference an auto-detection layer being added.

Sources

CLAIM 03

Vision screenshots bypass text-layer redaction

Claim 03 Uncertain
Statement "Screenshots are included in LLM API calls when use_vision=True, and this bypasses any text-layer redaction." UNCERTAIN
Key Evidence The first part — that use_vision=True sends screenshots to the LLM API — is confirmed. The docs state: True = always includes screenshots; False = never includes them; 'auto' = uses vision only when requested. The browser-use docs themselves warn: "if you must pass secrets, use sensitive_data and disable vision to avoid screenshot leaks." This implicit warning confirms that screenshots can expose content that text-layer redaction would mask.
Detail The second part — that this is a complete bypass — is not fully confirmed. The service.py code shows sensitive_data filtering operates at the MessageManager level (text messages), and there is no visible screenshot-sanitization layer before API transmission. However, the absence of sanitization code in the one file fetched does not definitively confirm there is none anywhere in the pipeline.
Important nuance

The docs frame this as a known risk to mitigate through configuration (use_vision=False when handling credentials), not as a design defect with a code-level fix. The bypass concern is real but described as a deployment responsibility, not a bug.

Sources

CLAIM 04

OpenClaw is a separate product, not a fork

Claim 04 Confirmed
Statement "OpenClaw is a separate product from Browser Use (not a fork), but can integrate with Browser Use as a plugin." CONFIRMED
Key Evidence OpenClaw is an independent open-source AI agent framework (created by Peter Steinberger, formerly of PSPDFKit). It is not a fork of Browser Use. The two products maintain separate codebases, separate documentation sites, and separate GitHub organizations.
Detail The integration is real and documented from both sides. Browser Use's official docs include an OpenClaw integration tutorial. OpenClaw's docs describe two integration paths: (1) configuring OpenClaw's native browser tool to connect to a Browser Use cloud browser via CDP, and (2) installing the Browser Use CLI as a skill — the mechanism is additive, not a fork relationship. The "plugin" framing in the claim is slightly imprecise (Browser Use calls it a "skill" or "integration"), but the spirit of the claim is accurate.

Sources

CLAIM 05

GitHub issue documented plaintext passwords in controller logs

Claim 05 Confirmed
Statement "A GitHub issue (#713 or similar) in browser-use documented passwords appearing in plaintext in controller logs." CONFIRMED
Key Evidence Issue #713 exists exactly as described. Opened by john-the-dev on February 13, 2025, titled: "Sensitive data does not work on controller log." The report shows that while agent-level logs properly masked sensitive values, controller logs at browser_use/controller/service.py#L137 emitted lines such as ⌨️ Input xxxxxxxxxxxxx into index 3 where the x's represented the actual credential value in plaintext.
Detail The issue was closed via pull request #724, meaning a fix was shipped. The claim's "(#713 or similar)" hedge is unnecessary — the issue number is exact. Additional related issues (#695, #1062) show this class of problem recurred in different parts of the pipeline, indicating the sensitive_data filtering was not consistently applied across all logging surfaces at the time of original disclosure.

Sources

CLAIM 06

CVE-2025-32711 (EchoLeak) relates to browser agent exfiltration

Claim 06 Refuted
Statement "CVE-2025-32711 (EchoLeak) is real and relates to browser agent sensitive data exfiltration." REFUTED
Key Evidence CVE-2025-32711 and the EchoLeak name are real. The severity is real (CVSS 9.3, patched June 2025 Patch Tuesday). The exfiltration mechanism is real. But the claim's framing — that it relates to "browser agent sensitive data exfiltration" in the sense of browser automation libraries like Browser Use — is incorrect.
Detail EchoLeak is a vulnerability in Microsoft 365 Copilot, an enterprise AI assistant. The attack is an indirect prompt injection: a malicious email injects instructions into Copilot's context, then auto-loaded image references exfiltrate organizational data (SharePoint, Teams, OneDrive) without user interaction. It has no connection to Browser Use, OpenClaw, or browser automation libraries. The vulnerability class is "LLM Scope Violation" in a RAG/enterprise context, not browser automation agent leakage.
Why this matters

Conflating EchoLeak with browser automation agent security is a category error. EchoLeak involves Microsoft's XPIA classifier bypass and Teams proxy abuse — architectural specifics that have no analog in browser-use's threat model. Using CVE-2025-32711 as evidence of browser-agent risk would be misleading in a security report.

Sources

SUMMARY

All six claims at a glance

ClaimVerdict
01 — Indexed serialized accessibility treeUncertain
02 — sensitive_data only redacts pre-registered valuesConfirmed
03 — use_vision=True screenshots bypass redactionUncertain
04 — OpenClaw separate product, integrates as pluginConfirmed
05 — Issue #713 plaintext passwords in controller logsConfirmed
06 — CVE-2025-32711 relates to browser agent exfiltrationRefuted
Note

Strikethrough on Claim 06 indicates refuted claim text.