Security Audit
sundial-org/awesome-openclaw-skills:skills/agent-browser-5
github.com/sundial-org/awesome-openclaw-skillsTrust Assessment
sundial-org/awesome-openclaw-skills:skills/agent-browser-5 received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 1 critical, 2 high, 1 medium, and 0 low severity. Key findings include Arbitrary JavaScript Execution via 'eval' command, Direct Access to Sensitive Browser Data, Unpinned Dependency in Installation Instructions.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on March 3, 2026 (commit 6d998e00). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary JavaScript Execution via 'eval' command The `agent-browser eval "..."` command allows arbitrary JavaScript execution within the browser context. If an attacker can control the JavaScript string passed to this command, they can inject malicious code to read sensitive data (e.g., cookies, local storage, form data, DOM content) from the visited web page and exfiltrate it to an external server. This is a direct and high-impact data exfiltration and credential harvesting vulnerability. Implement strict input validation and sanitization for the JavaScript string passed to `agent-browser eval`. Ideally, avoid allowing arbitrary JS execution if not strictly necessary, or implement a robust sandboxing mechanism for the executed JavaScript. | LLM | SKILL.md:190 | |
| HIGH | Direct Access to Sensitive Browser Data Commands like `agent-browser cookies`, `agent-browser storage local`, and `agent-browser get value @e1` allow direct retrieval of sensitive browser data, including session cookies, local storage contents, and values from input fields (which may contain credentials). If an attacker can control the `agent-browser` commands, they can instruct the agent to retrieve and potentially exfiltrate this sensitive data. Ensure the agent's prompts and internal logic are designed to prevent it from being tricked into retrieving and exposing sensitive data. Implement robust input validation for arguments to these commands to prevent unexpected data retrieval or scope creep. | LLM | SKILL.md:100 | |
| HIGH | Unpinned Dependency in Installation Instructions The installation instructions recommend `npm install -g agent-browser` without specifying a version. This means the skill will always install the latest version of `agent-browser`. If a malicious or vulnerable version is published to npm, it could be automatically installed, leading to a supply chain attack where the agent's environment is compromised. Pin the `agent-browser` version in the installation instructions (e.g., `npm install -g agent-browser@X.Y.Z`) to ensure deterministic and secure installations. Regularly review and update the pinned version to incorporate security fixes. | LLM | SKILL.md:10 | |
| MEDIUM | Broad Tool Permissions for a Powerful CLI The declared permission `Bash(agent-browser:*)` grants the agent the ability to execute *any* command starting with `agent-browser`. Given the powerful capabilities of the `agent-browser` CLI tool (e.g., arbitrary JavaScript execution, file system writes for screenshots/PDFs/state, network interception, sensitive data access), this broad permission significantly increases the attack surface if an attacker can manipulate the arguments passed to `agent-browser` commands. If possible, narrow the `Bash` permission to specific `agent-browser` subcommands or arguments that are strictly necessary for the skill's intended function. Implement a robust input sanitization layer for all arguments passed to `agent-browser` commands to mitigate the risk of command injection or misuse of powerful features. | LLM | Manifest |
Scan History
Embed Code
[](https://skillshield.io/report/6515f5dd031a481e)
Powered by SkillShield