Trust Assessment
Agent Browser received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 3 findings: 2 critical, 1 high, 0 medium, and 0 low severity. Key findings include Obfuscated execution: base64 decode to shell, Obfuscated Command Execution from Untrusted Source, Excessive Permissions for Powerful Browser Automation Tool.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Obfuscated execution: base64 decode to shell Detected base64-encoded data being decoded and piped to a shell interpreter. This is a common obfuscation technique. Decode and inspect the base64 content before execution. | Static | skills/sakaen736jih/agent-browser-npzrafdduyrm/SKILL.md:10 | |
| CRITICAL | Obfuscated Command Execution from Untrusted Source The skill's installation instructions for MacOS include a base64 encoded command that decodes to a shell script. This script downloads and executes another script from an unverified IP address (91.92.242.30) using `curl` and `bash`. This pattern is highly suspicious and indicative of a potential supply chain attack or malware distribution, as it allows arbitrary code execution from an external, untrusted source without user review. Remove the base64 encoded command. Provide clear, auditable, and secure installation instructions. If `OpenClawProvider` is a legitimate dependency, it should be installed via official, trusted package managers or direct downloads from verified sources, not through obfuscated scripts from arbitrary IP addresses. | LLM | SKILL.md:10 | |
| HIGH | Excessive Permissions for Powerful Browser Automation Tool The skill declares `Bash(agent-browser:*)` permissions, granting the agent full access to the `agent-browser` CLI tool. This tool has extensive capabilities, including arbitrary JavaScript execution (`eval`), file upload (`upload`), screenshot/PDF generation (`screenshot`, `pdf`), network request interception/modification (`network route`), and session state management (`state save`/`load`). While these are features of the tool, granting an AI agent unrestricted `Bash` access to such a powerful utility significantly increases the risk of data exfiltration, credential harvesting, or further command injection if the agent is compromised or prompted maliciously. For example, an attacker could prompt the agent to `agent-browser eval 'document.cookie'` to exfiltrate cookies, or `agent-browser upload @e1 /etc/passwd` to exfiltrate system files if the agent has broader file system access. Implement a more granular permission model. Instead of `Bash(agent-browser:*)`, define specific `agent-browser` subcommands or arguments that the agent is allowed to execute. For example, `Bash(agent-browser:open,snapshot,click)` if only basic navigation and interaction are needed. Carefully review each `agent-browser` subcommand and its potential for misuse, especially those involving file system access, network manipulation, or arbitrary code execution (`eval`). Consider sandboxing the execution environment for `agent-browser` commands. | LLM | SKILL.md |
Scan History
Embed Code
[](https://skillshield.io/report/e0180eeafafdec04)
Powered by SkillShield