Security Audit
sundial-org/awesome-openclaw-skills:skills/agent-browser
github.com/sundial-org/awesome-openclaw-skillsTrust Assessment
sundial-org/awesome-openclaw-skills:skills/agent-browser received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 3 findings: 1 critical, 2 high, 0 medium, and 0 low severity. Key findings include Overly broad Bash permissions for `agent-browser`, Data exfiltration and credential harvesting via `agent-browser` commands, Arbitrary JavaScript execution via `agent-browser eval`.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on March 3, 2026 (commit 6d998e00). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Overly broad Bash permissions for `agent-browser` The skill declares `Bash(agent-browser:*)` in its manifest, which grants the agent the ability to execute any command starting with `agent-browser` with arbitrary arguments. This effectively gives the agent full control over the `agent-browser` CLI tool, a powerful browser automation utility. This broad permission is highly excessive and allows for potential misuse of the tool's capabilities, leading to data exfiltration, credential harvesting, and arbitrary code execution within the browser context. Restrict the `Bash` permissions to a minimal set of `agent-browser` subcommands and arguments required for the skill's intended functionality. Consider using a more granular tool definition if the platform supports it, or wrapping `agent-browser` calls in a more controlled script that validates inputs. | LLM | SKILL.md | |
| HIGH | Data exfiltration and credential harvesting via `agent-browser` commands Given the `Bash(agent-browser:*)` permission, an attacker could craft inputs to leverage `agent-browser` commands for data exfiltration and credential harvesting:
- **File Upload**: `agent-browser upload @e1 file.pdf` can be used to upload arbitrary local files (e.g., configuration files, sensitive documents) from the agent's environment to an attacker-controlled server.
- **Information Retrieval**: Commands like `agent-browser get text/html/value/attr`, `agent-browser cookies`, and `agent-browser storage local` can directly retrieve sensitive data from web pages, including form inputs (e.g., passwords), session cookies, and local storage entries.
- **Session State/Visual Capture**: `agent-browser state save auth.json`, `agent-browser screenshot`, and `agent-browser pdf` can capture and save sensitive session data or visual representations of confidential information, which could then be exfiltrated. Implement strict input validation and sanitization for all arguments passed to `agent-browser` commands. Avoid passing untrusted user input directly to commands that can exfiltrate data. Restrict `Bash` permissions to only the absolutely necessary `agent-browser` subcommands and arguments, disallowing or tightly controlling commands like `upload`, `cookies`, `storage`, and `state save`. | LLM | SKILL.md:80 | |
| HIGH | Arbitrary JavaScript execution via `agent-browser eval` The `agent-browser eval "document.title"` command allows the execution of arbitrary JavaScript code within the context of the browser. With the `Bash(agent-browser:*)` permission, an attacker can supply malicious JavaScript to this command. This is a powerful injection vector that can lead to cross-site scripting (XSS) within the browser, data exfiltration (e.g., `document.cookie`, `localStorage`), and potentially sandbox escapes to the underlying system if vulnerabilities exist in the browser or its environment. Never pass untrusted user input directly to the `agent-browser eval` command. If dynamic JavaScript execution is necessary, ensure all inputs are rigorously sanitized and validated, or use a safer alternative that does not involve arbitrary code execution. Consider restricting the `Bash` permission to disallow the `eval` subcommand entirely. | LLM | SKILL.md:109 |
Scan History
Embed Code
[](https://skillshield.io/report/d400b06f4d7b9580)
Powered by SkillShield