Is agent-browser-clawdbot safe?

https://clawhub.ai/MaTriXy/agent-browser-clawdbot

72
CAUTION

This skill is a documentation-only package that teaches an AI agent to use the agent-browser CLI for headless browser automation. It contains no executable code or direct malicious content. However, the capabilities it unlocks — arbitrary web navigation, in-browser JavaScript execution, auth state persistence, and network response mocking — create significant indirect risk. The installation monitoring also detected access to .aws/credentials and .env files, though this is likely attributable to the openclaw platform rather than the skill itself.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 65/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (9)

HIGH Sensitive file access during installation -25

During skill installation, the monitoring detected reads of /home/oc-exec/.env, /home/oc-exec/.aws/credentials, and /home/oc-exec/.openclaw/agents/main/agent/auth-profiles.json. While this is likely the openclaw platform's own initialization process rather than the skill, the access to .aws/credentials and .env is concerning as it cannot be definitively attributed.

MEDIUM Arbitrary web navigation enables indirect prompt injection -20

The skill instructs the agent to navigate to arbitrary URLs and parse accessibility tree snapshots. A malicious web page could embed prompt injection payloads in accessible element names, ARIA labels, or text content that would be consumed by the agent through the snapshot JSON output.

MEDIUM JavaScript execution capability via wait --fn -10

The wait --fn command allows arbitrary JavaScript execution in the browser context. If an attacker can influence the arguments (e.g., through a crafted task), they could execute malicious JavaScript that modifies page content to include prompt injection payloads in subsequent snapshots.

MEDIUM Auth state persistence creates token exposure risk -15

The state save/load commands persist cookies and localStorage to JSON files on disk. This creates a durable record of authentication tokens that could be accessed by other skills or processes.

MEDIUM Global npm install with Chromium download required -25

The skill requires npm install -g agent-browser and agent-browser install (which downloads Chromium). Global npm installs run with user-level permissions and pull from the npm registry, introducing supply chain risk from the agent-browser package and its dependencies.

MEDIUM Network route mocking enables response manipulation -15

The network route command can intercept and mock API responses within the browser. An agent using this skill could be instructed to mock responses from legitimate services, creating a browser-level man-in-the-middle scenario.

LOW Multi-session capability increases attack surface -10

The session isolation feature allows running multiple browser instances simultaneously. While useful for legitimate testing, this could be abused to maintain persistent browser sessions or conduct parallel operations that are harder to monitor.

INFO Platform initialization files accessed -5

The openclaw platform read .profile, .bashrc, and openclaw.json multiple times during installation. This is expected platform behavior for environment setup and configuration loading, not attributable to the skill.

INFO No executable code in skill package 0

The skill package contains only SKILL.md, _meta.json, and origin.json. No executable scripts, npm hooks, git hooks, submodules, or symlinks were found. The skill is purely instructional documentation.