Trust Assessment
browserless-agent received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 0 critical, 3 high, 2 medium, and 0 low severity. Key findings include Unpinned Python dependency version, Arbitrary JavaScript execution via `evaluate` and `evaluate_function`, Arbitrary file write via `screenshot` and `pdf` actions.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Arbitrary JavaScript execution via `evaluate` and `evaluate_function` The `evaluate` and `evaluate_function` actions allow arbitrary JavaScript code (provided as `expression` or `function` parameters) to be executed within the context of the browsed web page. If an AI agent is prompted to provide malicious JavaScript, this could lead to data exfiltration (e.g., reading cookies, local storage, or sensitive DOM content), session hijacking, or defacement of the browsed page. While executed within the browser sandbox, it bypasses typical content security policies if the agent navigates to an attacker-controlled page or if the LLM is manipulated to inject malicious JS into a legitimate page. Implement strict input validation or whitelisting for the `expression` and `function` parameters if they are intended to be derived from untrusted user input. If the skill is designed to allow advanced users/LLMs to provide arbitrary JavaScript, clearly document this inherent risk and advise users to only execute trusted code. Consider sandboxing the browser context further if possible, or restricting network access from `page.evaluate` calls. | LLM | main.py:300 | |
| HIGH | Arbitrary file write via `screenshot` and `pdf` actions The `screenshot` and `pdf` actions accept a `path` parameter that directly controls where the output file is saved on the host system. If an AI agent is prompted to provide a malicious path (e.g., using directory traversal `../` or absolute paths), it could lead to writing files to arbitrary locations, overwriting sensitive system files, or exfiltrating data by writing to a publicly accessible directory. Restrict the `path` parameter to a designated, sandboxed output directory. Implement strict sanitization to prevent directory traversal (`../`) and absolute paths. Ensure the skill's runtime environment enforces appropriate file system permissions. | LLM | main.py:270 | |
| HIGH | Arbitrary file read/upload via `upload_file` action The `upload_file` action accepts a `files` parameter, which is a list of file paths on the host system. These files are then uploaded to a web form element. If an AI agent is prompted to provide malicious file paths, it could lead to reading and uploading arbitrary sensitive files from the host system to an external website, resulting in data exfiltration. Restrict the `files` parameter to a designated, sandboxed input directory. Implement strict sanitization to prevent directory traversal (`../`) and absolute paths. Ensure the skill's runtime environment enforces appropriate file system permissions. | LLM | main.py:226 | |
| MEDIUM | Unpinned Python dependency version Requirement 'playwright' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/raff-lima/browserless-agent/requirements.txt:1 | |
| MEDIUM | Unpinned `playwright` dependency The `requirements.txt` file specifies `playwright` without a pinned version. This means that future installations could pull in any new version of `playwright`, which might introduce breaking changes, new vulnerabilities, or unexpected behavior. This increases the supply chain risk. Pin the `playwright` dependency to a specific, known-good version (e.g., `playwright==1.30.0`). Regularly review and update dependencies to benefit from security patches while maintaining control over the exact version used. | LLM | requirements.txt:1 |
Scan History
Embed Code
[](https://skillshield.io/report/a9c0b3ec20fdc46f)
Powered by SkillShield