Trust Assessment
browser-ladder received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 2 high, 1 medium, and 1 low severity. Key findings include Unsanitized file paths in `mkdir` and `docker -v` lead to command injection, Use of unknown `playwright-cli-extra` package with `npx -y`, Browserless.io token exposed in URL query parameter.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 61/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unsanitized file paths in `mkdir` and `docker -v` lead to command injection The `browse.sh` script takes `--screenshot` and `--pdf` arguments, which are then used to construct directory and file paths. These paths are directly used in `mkdir -p "$OUTPUT_DIR"` and `docker run --rm -v "$OUTPUT_DIR:/output"`. If a malicious user provides a path containing shell metacharacters (e.g., `"; rm -rf /"`), these commands will execute the injected code, leading to arbitrary command execution. Sanitize or validate user-provided file paths to ensure they do not contain shell metacharacters. Alternatively, use a safer method to create directories and pass volumes, or ensure the script is only called with trusted inputs. For example, use `printf %q` to quote arguments if they must be passed to another shell, or restrict paths to alphanumeric characters and `/`. | LLM | scripts/browse.sh:59 | |
| HIGH | Unsanitized user input written to `.env` file can lead to command injection The `setup.sh` script prompts the user for `BROWSERCAT_API_KEY` and `BROWSERLESS_TOKEN`. The user's input is then directly appended to the `.env` file using `echo "VAR=$USER_INPUT" >> "$ENV_FILE"`. If a malicious user provides input containing shell metacharacters (e.g., `mykey; rm -rf /`), these characters will be written into the `.env` file. When this `.env` file is later sourced by a shell (a common practice for loading environment variables), the injected commands will be executed. Sanitize user input before writing it to the `.env` file. For shell environment variables, this typically means escaping special characters. A safer approach might be to use a tool or library designed for `.env` file manipulation that handles escaping automatically, or to strictly validate input to ensure it only contains valid key characters. If direct shell sourcing is intended, ensure the values are properly quoted (e.g., `echo "VAR='$(printf %s "$USER_INPUT")'" >> "$ENV_FILE"`). | LLM | scripts/setup.sh:26 | |
| MEDIUM | Use of unknown `playwright-cli-extra` package with `npx -y` The `browse.sh` script uses `npx -y playwright-cli-extra content "$URL"` for HTML content retrieval in Level 2. `playwright-cli-extra` is not a standard or officially recognized Playwright package. Using `npx -y` automatically confirms the installation of this potentially unknown package, which could be a typosquat or a malicious package, introducing a supply chain vulnerability by executing arbitrary code during installation. Replace `playwright-cli-extra` with a known, trusted method for retrieving HTML content using Playwright, or explicitly audit the `playwright-cli-extra` package for security. Avoid `npx -y` for non-standard packages. | LLM | scripts/browse.sh:79 | |
| LOW | Browserless.io token exposed in URL query parameter The `BROWSERLESS_TOKEN` is passed as a query parameter in the URL for Browserless.io API calls (e.g., `wss://production-sfo.browserless.io?token=$BROWSERLESS_TOKEN`). While this might be supported by the service, passing sensitive tokens in URL query parameters can lead to their exposure in server access logs, proxy logs, browser history, and referrer headers, making them more susceptible to interception or logging than if they were passed in HTTP headers. If the Browserless.io API supports it, pass the token in an `Authorization` HTTP header (e.g., `Authorization: Bearer $BROWSERLESS_TOKEN`) instead of a URL query parameter to reduce exposure risks. | LLM | scripts/browse.sh:99 |
Scan History
Embed Code
[](https://skillshield.io/report/c87491c1cd8ee39c)
Powered by SkillShield