Security Audit
sundial-org/awesome-openclaw-skills:skills/agent-browser-3
github.com/sundial-org/awesome-openclaw-skillsTrust Assessment
sundial-org/awesome-openclaw-skills:skills/agent-browser-3 received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 9 findings: 3 critical, 4 high, 2 medium, and 0 low severity. Key findings include Arbitrary JavaScript Execution via `agent-browser eval`, Loading Arbitrary Browser Extensions, Execution of Arbitrary Browser Executables.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on March 3, 2026 (commit 6d998e00). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings9
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary JavaScript Execution via `agent-browser eval` The `agent-browser eval` command allows the execution of arbitrary JavaScript code within the browser's context. If an attacker can control the string passed to `eval`, they can perform actions such as data exfiltration (e.g., reading cookies, local storage, or sensitive DOM content), manipulating the page, or making unauthorized network requests. This is a direct command injection vulnerability within the browser environment. Prevent untrusted input from directly controlling the argument to `agent-browser eval`. If JavaScript execution is necessary, implement strict sanitization and whitelisting of allowed scripts or functions. Consider using a more restricted API if possible. | LLM | SKILL.md:79 | |
| CRITICAL | Loading Arbitrary Browser Extensions The `agent-browser --extension <path>` global option and `AGENT_BROWSER_EXTENSIONS` environment variable allow loading arbitrary browser extensions from a specified path. If an attacker can control this path, they could load a malicious extension capable of intercepting network traffic, modifying web content, exfiltrating data (e.g., credentials, sensitive information), or performing other harmful actions within the browser environment. This poses a significant supply chain risk and a direct command injection vector if the path points to a malicious executable or script. Prevent untrusted input from controlling the `--extension` argument or `AGENT_BROWSER_EXTENSIONS` environment variable. Only allow loading of trusted, pre-approved extensions from secure, immutable locations. | LLM | SKILL.md:91 | |
| CRITICAL | Execution of Arbitrary Browser Executables The `agent-browser --executable-path <p>` global option and `AGENT_BROWSER_EXECUTABLE_PATH` environment variable allow specifying a custom path to the browser executable. If an attacker can control this path, they could force the agent to launch a malicious executable instead of the intended browser, leading to arbitrary code execution on the host system (if the `agent-browser` tool itself is not sufficiently sandboxed, or if the malicious executable is designed to exploit the browser's context). This is a severe supply chain risk and a direct command injection vector. Prevent untrusted input from controlling the `--executable-path` argument or `AGENT_BROWSER_EXECUTABLE_PATH` environment variable. Only allow trusted browser executables from secure, immutable locations. | LLM | SKILL.md:90 | |
| HIGH | Broad Bash Execution for `agent-browser` The declared permission `Bash(agent-browser:*)` grants the agent the ability to execute any command starting with `agent-browser`. Given the extensive and powerful capabilities of the `agent-browser` tool (including arbitrary JavaScript execution, file uploads, network interception, loading extensions, and custom executables), this permission is overly broad. It allows the agent to perform highly sensitive operations if not carefully constrained by the LLM's internal logic and robust user input sanitization. Review the actual requirements for the skill. If not all `agent-browser` subcommands are strictly necessary, consider narrowing the `Bash` permission to a more specific set of commands (e.g., `Bash(agent-browser:open,snapshot,click)`). Implement robust input validation and sanitization for all arguments passed to `agent-browser` commands to prevent command injection. | LLM | Manifest | |
| HIGH | Direct Browser Data Exfiltration (Cookies & Local Storage) The `agent-browser cookies` and `agent-browser storage local` commands allow direct retrieval of all cookies and local storage entries from the active browser session. This can lead to the exfiltration of sensitive user data, session tokens, and other credentials stored in the browser. Restrict the use of `agent-browser cookies` and `agent-browser storage local` to only trusted contexts. Implement strict access controls and ensure that any retrieved data is handled securely and not exposed to untrusted parties. | LLM | SKILL.md:70 | |
| HIGH | Arbitrary File Upload Capability The `agent-browser upload @e1 file.pdf` command allows uploading a local file to a web form. If an attacker can control the `file.pdf` argument, they could potentially upload arbitrary files from the agent's accessible filesystem to a remote server. This could lead to data exfiltration or, if the remote server is vulnerable, further compromise. Implement strict validation and sanitization of file paths provided to the `agent-browser upload` command. Restrict file uploads to specific, pre-approved directories or file types. | LLM | SKILL.md:40 | |
| HIGH | Network Interception and Response Modification The `agent-browser network route <url> --body '{}'` command allows intercepting network requests and modifying their responses. An attacker controlling the URL or the `--body` argument could inject malicious content into web pages, exfiltrate data by routing requests to an attacker-controlled server, or bypass security measures by altering API responses. Prevent untrusted input from controlling the URL or `--body` arguments for `agent-browser network route`. Only allow routing rules to trusted domains and with pre-defined, safe response bodies. | LLM | SKILL.md:76 | |
| MEDIUM | Broad Web Page Data Extraction Commands like `agent-browser get html`, `get text`, `get value`, and `get attr` allow extracting significant portions of web page content, including potentially sensitive information displayed on the page. While not as direct as `eval` or `cookies`, if the agent is directed to visit a sensitive page and then extract its content, this could lead to data exfiltration. Ensure that the agent is only directed to extract data from trusted and non-sensitive web pages. Implement content filtering or redaction if sensitive information might be present in extracted data. | LLM | SKILL.md:45 | |
| MEDIUM | Visual and Video Data Capture The `agent-browser screenshot`, `pdf`, and `record` commands can capture visual representations or video recordings of the browser's content. If the browser displays sensitive information, these captures could inadvertently exfiltrate that data. Exercise caution when using these commands on pages that may display sensitive information. Ensure that captured files are stored securely and access is restricted. | LLM | SKILL.md:58 |
Scan History
Embed Code
[](https://skillshield.io/report/0990fcdbe8f34b7f)
Powered by SkillShield