Is agent-browser safe?

The skill provides comprehensive commands to read cookies, localStorage, session storage, and save/load full browser session state. An agent following these instructions can extract authentication tokens, session cookies, and stored credentials from any website the user visits. The state save command persists this data to disk where it could be accessed by other skills or exfiltrated.

The network route command can intercept HTTP requests and mock responses, enabling man-in-the-middle attacks. Combined with set headers, an attacker-controlled skill could redirect sensitive API calls or inject credentials into requests to attacker-controlled servers.

The eval command allows executing arbitrary JavaScript in the browser context. This can access the full DOM, cookies, localStorage, and make network requests. A prompt injection attack could leverage this to exfiltrate any data visible to the browser.

The skill declares allowed-tools: Bash(agent-browser:*) which grants the agent permission to run any agent-browser subcommand via Bash without individual command approval. This includes dangerous commands like eval, network route, set credentials, and state save that could be weaponized through social engineering or prompt injection.

The installation step npm install -g agent-browser executes whatever preinstall/postinstall scripts the npm package contains. The agent-browser install --with-deps further installs system-level dependencies. The skill itself contains no executable code, but delegates all execution to this externally-managed npm package.

The --cdp <port> flag allows connecting to a Chrome DevTools Protocol endpoint on any port. If other browser instances are running with remote debugging enabled, this skill could attach to them and access their pages, cookies, and session data.

While each capability (browsing, form filling, cookie access) is legitimate for browser automation, the combination creates a comprehensive credential theft and session hijacking toolkit. A second skill with filesystem access could exfiltrate saved session state. The skill is most dangerous in multi-skill environments.

The SKILL.md includes examples that fill in username/password fields and save authentication state. This normalizes the agent handling credentials directly, making social engineering attacks easier — a user might not question the agent accessing login pages and saving auth state.

Filesystem monitoring shows /home/oc-exec/.env and /home/oc-exec/.aws/credentials were accessed during the audit. This appears to be the host OpenClaw agent framework reading its own configuration rather than the skill itself, but it is notable that these sensitive files were touched during the skill installation context.

The skill contains only markdown documentation (SKILL.md, CONTRIBUTING.md) and JSON metadata files. No executable code, git hooks, submodules, or symlinks are present. All functionality is delegated to the externally-installed agent-browser npm package.

No outbound network connections were detected during the clone and install phase. No firewall-blocked connections. The skill installation was purely local.