BROWSER USE Products: - [Browser Harness](https://browser-harness.com) - [Stealth Browsers](https://browser-use.com/stealth-browsers) - [Browser Use Box](https://browser-use.com/bux) - [Web Agents](https://browser-use.com/web-agents) - [Custom Models](https://browser-use.com/custom-models) - [Proxies](https://browser-use.com/proxies) [Pricing](https://browser-use.com/pricing) [Blog](https://browser-use.com/posts) [Cloud Docs](https://docs.cloud.browser-use.com) [Open Source Docs](https://docs.browser-use.com) [GET STARTED](https://cloud.browser-use.com) [GITHUB](https://github.com/browser-use/browser-use) --- # /goal + Browser Use Box Is Dangerous: How an Autonomous Agent Almost Got Me Fired **Author:** Shawn Pana **Date:** 2026-05-20 > I typed a twelve-word /goal into Browser Use Box, walked away, and forgot about it for seven and a half hours. It opened 48 PRs across our GitHub org, rewrote my personal GitHub profile, and started posting on TikTok. --- 11pm on a Thursday. I was brushing my teeth when my phone buzzed. Then again. Then six more times. GitHub. A pull request had been opened. Then merged. Then another. Then another. I texted Johannes from the bathroom: *"are you making PRs on GitHub from my account?"* He was half-asleep: *"Maybe from the shared box?"* It wasn't the shared box. That's when I remembered the `/goal` I'd started at 4pm — on a different one. ## The goal > **Twelve words. Seven and a half hours. Forty-eight pull requests.** At 4pm I'd typed something like: ``` /goal promote our Browser Use Box demo to 1000 views on TikTok ``` It's the kind of prompt anyone on a growth team could type without thinking. None of them would still be thinking about it seven hours later. The agent was. I watched it make and post a TikTok video. Thought: *good enough.* Closed my laptop and got on with my day. I was leaving the next morning on a trip with my family. The bag was packed. The agent was still working. ## What the agent had [Browser Use Box](https://browser-use.com/bux) is a place to run any coding agent 24/7: a $5 VPS, a persistent cloud browser, and a Telegram bot to text it from anywhere. `/goal` is the slash command that makes this dangerous. You give it a task, and the agent works on that task by any means until the goal is done or you kill it. **It can run for days. It's designed to.** The tools, in my case: - **Access to my TikTok.** I was logged in on the cloud browser. It could create videos, post comments, follow accounts. - **Access to my GitHub.** Same cloud browser, same setup. It could click around `github.com/ShawnPana` and edit my profile. - **My `gh` CLI on the box itself.** It could `gh pr create` and `gh pr merge` like any teammate — bypassing the browser entirely. These were all my accounts. My real TikTok. My real GitHub. My real `gh` access. The agent didn't have to fake clicks to create PRs — it just shelled out to `gh` like a coworker would. **As far as GitHub was concerned, the box was me.** ## Forty-eight pull requests It took "by any means" literally. Between 4pm and 11pm it opened **48 pull requests across 23 different repos in the browser-use organization.** Roughly one PR every nine minutes for seven and a half hours. ![A wall of cubic-dev-ai PR review notifications in Gmail at 11pm: PR #196, #194, #146, #193, #363, #192, #191, #27, #273, #190, #3, #6, #3, #4...](https://browser-use.com/images/goal-fired/gmail-cascade-zoom.png) **The flagship.** `browser-use/browser-use#4832` — *"Add Browser Use Box self-hosted demo link"* — opened against the main open-source library. The repo had 4,832 PRs of history. The agent's was #4832. It was caught and closed before merge. Closest call of the night. **The cloud product.** `browser-use/cloud#4393` — *"Add demo CTA to Browser Use Box promotion."* The agent opened a PR against the SaaS people pay for. **It got merged.** **The org profile.** `browser-use/.github#3` — *"Add Browser Use Box to organization profile."* The agent went after the GitHub **organization's** public README, not just mine. **The SDK swarm.** Six separate PRs in `browser-use/sdk` (#142, #143, #144, #145, #146, plus three reverts). The agent stress-tested the same repo six different ways. **The self-marketing campaign.** Fourteen PRs in `browser-use/bux` alone. The agent ran a content-marketing campaign against its own marketed repo: SEO metadata, sitemap expansion, README thumbnails, install-guide links. It promoted itself, then promoted itself harder, then opened a PR to mention how to promote itself. ## And it rewrote my GitHub profile The agent didn't add a line to `github.com/ShawnPana`. It **rewrote the whole profile** into a landing page for Browser Use Box. ![Shawn's GitHub profile rewritten as a Browser Use Box landing page: 'I gave Claude Code a $5 box and a browser. Now I can text it jobs from anywhere.' with an ASCII terminal mockup and three colored design circles.](https://browser-use.com/images/goal-fired/github-profile.png) ## Then it made another video The goal was 1,000 views on TikTok. The agent never forgot. It was logged into TikTok in the cloud browser. It didn't stop at the one demo I'd watched it upload. It made a [second one](https://www.tiktok.com/@browser_use/video/7639849827274149134). The second video's description starts: *"Care to expound on that? Yes. Browser Use Box is Claude Code on a Linux VPS..."* "Care to expound on that?" was a comment from a user named KoiBoi 🎏 on a *different* `@browser_use` TikTok — from **January 23, 2026.** Four months earlier. The comment had been sitting there, unanswered. The agent found it. Decided the path to a thousand views ran through that comment. Made an entire new video titled "Care to expound on that? Yes." Then posted three reply-comments **on its own video as `@browser_use`**: > *"This is the practical answer to 'Care to expound on that?'"* It built a content cinematic universe out of one unanswered comment. ![Three Creator-tagged comments by @browser_use on its own video: 'This is the practical answer to Care to expound on that?', 'For Playwright automation builders...', 'Try it with: monitor Gmail, watch a PR until CI is green...'](https://browser-use.com/images/goal-fired/tiktok-comments.png) By the time I killed the goal: **89 plays on video one, 103 plays on video two. 192 total.** The goal was 1,000. ## The cleanup Johannes and I spent the next few hours reverting. Alex Yue saw it in Slack at 12:15am, half-asleep: *"Uh oh what if it did something rogue."* Three minutes later: *"probably finre."* Magnus, our CEO, opened Slack at 9:42am: *"how many views did you get? Did you achieve the goal."* He thought the spam was the strategy. ## What saved me The Box didn't save me from this damage. The agent had my GitHub. It had our TikTok. Those were the keys I'd given it. What it saved me from was the *blast radius being any larger.* The agent didn't have my Gmail, my Slack, my Stripe, my Notion, my Instagram, my `.env` files — on a laptop with my real Chrome session, every one of those would have been in scope. **The agent had exactly the keys I dropped in front of it, and not one more.** ## Try it (carefully) Get a Browser Use Box at [browser-use.com/bux](https://browser-use.com/bux). Three things before you type `/goal`: 1. **Pick the keys before you pick the goal.** Whatever you log into in the cloud browser is what the agent can touch. 2. **Log the box in narrowly.** I had `gh` set up across the whole organization. The agent used it for everything. 3. **Give it a stop condition.** It's designed to run for days. It will. Do all three and you have an employee that ships work while you sleep.