Security Audit
sundial-org/awesome-openclaw-skills:skills/agent-browser-2
github.com/sundial-org/awesome-openclaw-skillsTrust Assessment
sundial-org/awesome-openclaw-skills:skills/agent-browser-2 received a trust score of 42/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 0 critical, 1 high, 1 medium, and 2 low severity. Key findings include Excessive Permissions: Arbitrary Filesystem Access via State Management, Supply Chain Risk: Unpinned Dependency for CLI Tool, Data Exfiltration Capability: Access to Sensitive Browser Data.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on March 3, 2026 (commit 6d998e00). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Excessive Permissions: Arbitrary Filesystem Access via State Management The `agent-browser state save <path>` and `agent-browser state load <path>` commands allow saving and loading browser session state (including cookies, local storage, etc.) to/from a specified file path. If an attacker can control the `<path>` argument via a malicious prompt, this could lead to arbitrary file read/write operations on the host system. This enables potential data exfiltration of local files or injection of malicious content into arbitrary files. Implement strict validation or sandboxing of file paths used by `state save/load` commands. Restrict these operations to a designated, isolated directory that is not accessible to other system processes or sensitive data. Avoid allowing arbitrary file paths from untrusted input. | Static | SKILL.md:139 | |
| MEDIUM | Supply Chain Risk: Unpinned Dependency for CLI Tool The skill's installation instructions recommend `npm install -g agent-browser` without specifying a fixed version. This introduces a supply chain risk, as a compromised or malicious update to the `agent-browser` npm package could be automatically installed, affecting the security of the agent and its environment. Future installations or updates could inadvertently pull a vulnerable or malicious version. Pin the version of `agent-browser` in the installation instructions (e.g., `npm install -g agent-browser@1.2.3`) to ensure deterministic and secure installations. Regularly review and update the pinned version after verifying its integrity. | Static | SKILL.md:170 | |
| LOW | Data Exfiltration Capability: Access to Sensitive Browser Data The `agent-browser` skill provides commands such as `agent-browser cookies`, `agent-browser storage local key`, and `agent-browser get text/html` that allow an agent to retrieve potentially sensitive data directly from the browser context (e.g., session cookies, local storage items, or full page content). While these are intended features, a malicious prompt could instruct the agent to exfiltrate user credentials, session tokens, or other private information from visited websites. Implement strict input validation and output filtering for agent prompts that interact with these commands. Consider sandboxing the browser environment more aggressively or redacting sensitive information from command outputs before they are returned to the agent. Provide clear warnings about the sensitive nature of these commands. | Static | SKILL.md:151 | |
| LOW | Command Injection: Browser-side JavaScript Execution The `agent-browser wait --fn "<javascript_code>"` command allows the execution of arbitrary JavaScript within the browser's context. If a malicious prompt can inject code into the `--fn` argument, it could lead to client-side attacks, such as manipulating web page content, stealing data via JavaScript (e.g., XSS-like attacks), or bypassing browser-side security controls. This is a browser-side injection, not a host-side shell injection. Carefully validate and sanitize any user-provided input that is passed to the `--fn` argument to prevent arbitrary JavaScript injection. Consider restricting the scope of JavaScript that can be executed or running it in a more isolated context within the browser. | Static | SKILL.md:109 |
Scan History
Embed Code
[](https://skillshield.io/report/d47c3cfa11ed41fc)
Powered by SkillShield