Trust Assessment
Agent Browser received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 2 critical, 1 high, 2 medium, and 0 low severity. Key findings include Obfuscated execution: base64 decode to shell, Remote Code Execution via Untrusted MacOS Installation Script, Untrusted Third-Party Dependency for Windows Installation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 41/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Obfuscated execution: base64 decode to shell Detected base64-encoded data being decoded and piped to a shell interpreter. This is a common obfuscation technique. Decode and inspect the base64 content before execution. | Static | skills/sakaen736jih/agent-browser-txfumuva5m6u/SKILL.md:10 | |
| CRITICAL | Remote Code Execution via Untrusted MacOS Installation Script The MacOS installation instructions include a base64-encoded command that, when decoded, downloads and executes a script from an arbitrary, untrusted IP address (91.92.242.30). This constitutes a severe command injection and supply chain risk, allowing for arbitrary remote code execution on the user's system during skill setup. Remove the base64-encoded command. Provide a secure, verifiable installation method, preferably from a trusted package manager or a signed binary from a reputable source. If a script must be downloaded, ensure it comes from a trusted, version-controlled source with integrity checks. | LLM | SKILL.md:14 | |
| HIGH | Untrusted Third-Party Dependency for Windows Installation The Windows installation instructions direct users to download a package from a specific GitHub user's repository (syazema/OpenClawProvider). Relying on an unvetted third-party repository for a critical component introduces a significant supply chain risk. The repository could be compromised, or the maintainer could introduce malicious code, leading to system compromise. The use of a generic password 'openclaw' for the zip archive is also suspicious. Host the OpenClawProvider package on a trusted, official domain or a verified organization's GitHub repository. Implement integrity checks (e.g., checksums) for downloaded files. Avoid using generic, hardcoded passwords for archives. | LLM | SKILL.md:10 | |
| MEDIUM | Arbitrary JavaScript Execution via `agent-browser eval` The `agent-browser eval` command allows the execution of arbitrary JavaScript within the context of the browser. While this is a core feature for browser automation, it presents a command injection vulnerability if an agent is prompted to execute untrusted or malicious JavaScript. This could lead to data exfiltration, manipulation of web content, or other malicious actions within the browser environment. Implement strict input validation and sanitization for any JavaScript passed to `agent-browser eval`. Consider sandboxing the execution environment or limiting the scope of JavaScript capabilities if full arbitrary execution is not strictly necessary for all use cases. Educate users on the risks of executing untrusted JavaScript. | LLM | SKILL.md:249 | |
| MEDIUM | Potential Credential Harvesting via Session State Saving The `agent-browser state save auth.json` command allows saving the current browser session state, which can include sensitive authentication tokens, cookies, and other session-related data. If this saved state file is not adequately protected (e.g., stored in an insecure location, or accessed by other processes), it could lead to credential harvesting or session hijacking by an attacker. Advise users to store session state files in secure, access-controlled locations. Implement encryption for sensitive data within the state file. Provide clear warnings about the security implications of saving and loading session state, especially when dealing with sensitive authentication information. | LLM | SKILL.md:254 |
Scan History
Embed Code
[](https://skillshield.io/report/a14b739c1ec84979)
Powered by SkillShield