Security Audit

agent-browser

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

agent-browser received a trust score of 73/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 2 findings: 0 critical, 2 high, 0 medium, and 0 low severity. Key findings include Arbitrary File Write via User-Controlled Output Directory, Arbitrary File Read/Write via User-Controlled State File Path.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

70%

Behavioral Risk Signals

Filesystem Write

2 findings

Shell Execution

2 findings

Dynamic Code

2 findings

Excessive Permissions

1 finding

Security Findings2

Severity	Finding	Layer	Location
HIGH	Arbitrary File Write via User-Controlled Output Directory The `capture-workflow.sh` script constructs file paths using the user-provided `$OUTPUT_DIR` argument (second script argument) without sanitization. An attacker can supply a path like `../../../../tmp/malicious.sh` or `/etc/cron.d/malicious` to write files to arbitrary locations on the filesystem. This could lead to command injection (if writing to executable paths or cron directories) or data exfiltration (if writing to web-accessible directories). The `mkdir -p` command itself is vulnerable to path traversal, and subsequent `agent-browser` commands write files into this potentially malicious directory. Sanitize the `$OUTPUT_DIR` argument to ensure it is a safe, relative path or within a designated output directory. For example, validate that the path does not contain `..` or absolute path indicators, or prepend a secure base directory (e.g., `mkdir -p "./output/$OUTPUT_DIR_SANITIZED"`).	LLM	templates/capture-workflow.sh:7
HIGH	Arbitrary File Read/Write via User-Controlled State File Path The `authenticated-session.sh` script uses the user-provided `$STATE_FILE` argument (second script argument) directly in `agent-browser state load` and `agent-browser state save` commands. An attacker can specify an arbitrary file path (e.g., `/etc/passwd` for loading, or `/tmp/malicious.sh` for saving) to read sensitive system files (data exfiltration) or write potentially malicious content to arbitrary locations (command injection). The `agent-browser` tool, when invoked by the skill, would attempt these operations with the provided path. Sanitize the `$STATE_FILE` argument to ensure it is a safe, relative path or within a designated data directory. For example, validate that the path does not contain `..` or absolute path indicators, or prepend a secure base directory (e.g., `agent-browser state load "./data/$STATE_FILE_SANITIZED"`).	LLM	templates/authenticated-session.sh:12

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/41ca5004142f357e.svg)](https://skillshield.io/report/41ca5004142f357e)