Trust Assessment
browserbase-fix received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 3 high, 0 medium, and 0 low severity. Key findings include Potential Data Exfiltration via Debugging Commands, Arbitrary Code Execution via `stagehand eval` and Shell Command Arguments, Capability for Credential Harvesting.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 25/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary Code Execution via `stagehand eval` and Shell Command Arguments The skill explicitly instructs the LLM to execute `stagehand eval "<js>"`, where `<js>` is a placeholder for JavaScript code. If the content of `<js>` is derived from untrusted user input (e.g., a user-provided selector or value), it allows for arbitrary JavaScript execution within the browser context. Additionally, commands like `git commit -m "fix(<function-name>): <description of fix>"` and `gh pr create --title "Fix <function-name>" --body "..."` involve constructing shell commands with arguments that can be influenced by user input (e.g., function names, descriptions). If these inputs are not properly sanitized or escaped, they can lead to shell command injection, allowing an attacker to execute arbitrary commands on the host system. Implement robust input validation and sanitization for all user-controlled inputs used in `stagehand eval` and shell command arguments. For `stagehand eval`, consider using a more restricted API or strictly validating the JavaScript snippet. For shell commands, ensure proper escaping of arguments to prevent metacharacter interpretation. | LLM | SKILL.md:69 | |
| HIGH | Potential Data Exfiltration via Debugging Commands The skill instructs the LLM to use `stagehand network list`, `stagehand network show`, `stagehand snapshot`, `stagehand screenshot`, `stagehand fn errors`, `stagehand fn logs`, and `stagehand eval` commands. These commands are designed to retrieve detailed information about browser sessions, network traffic (including headers, cookies, request/response bodies), DOM structure, visual state, and function execution logs/errors. If the LLM outputs this information to an unauthorized user or if the data itself contains sensitive user information, it constitutes a data exfiltration risk. Implement strict output filtering and access controls for sensitive data retrieved by debugging commands. Ensure that the LLM is explicitly instructed *not* to output sensitive information unless specifically authorized and masked. Consider redacting sensitive fields (e.g., `Authorization` headers, cookie values) by default. | LLM | SKILL.md:60 | |
| HIGH | Capability for Credential Harvesting The skill instructs the LLM to use commands such as `stagehand network list`, `stagehand network show`, and `stagehand eval`. These commands provide direct access to network request/response details (including authentication headers and cookies) and the ability to execute arbitrary JavaScript within the browser context (e.g., reading `localStorage`, `sessionStorage`, or cookies). While the skill's stated purpose is debugging, these capabilities inherently allow for the retrieval and potential harvesting of sensitive credentials if the LLM is manipulated or if the debugging context contains such information. Implement strict access controls and redaction policies for any output that might contain credentials. Ensure that the LLM is trained and instructed to recognize and redact credential-like patterns from its output, and to never store or transmit them outside of secure channels. | LLM | SKILL.md:60 | |
| HIGH | Excessive Permissions for Code Modification and Deployment The skill instructs the LLM to perform high-privilege operations including modifying local files (`git add <function-file>`, `git commit`), pushing changes to a version control system (`git push`), and deploying new or updated functions (`stagehand fn publish <entrypoint>`). These actions grant the LLM extensive control over the codebase and deployment pipeline. If the LLM is compromised or manipulated, it could introduce malicious code, deploy unauthorized changes, or disrupt production systems. Implement a robust approval workflow for code changes and deployments initiated by the LLM. Ensure that any code modifications or deployment actions require human review and explicit authorization before being applied to production. Limit the LLM's ability to directly push to protected branches or deploy without review. Consider using a least-privilege approach for the tools available to the LLM. | LLM | SKILL.md:100 |
Scan History
Embed Code
[](https://skillshield.io/report/85a6d2aabf138e9f)
Powered by SkillShield