Is adcentury/actionbook safe?

https://github.com/openclaw/skills/tree/main/skills/adcentury/actionbook

91
SAFE

Actionbook is a browser automation skill consisting entirely of markdown documentation with zero executable code, no install hooks, and no prompt injection in its system prompt content. All credential file reads in the monitoring logs are attributable to the oathe audit harness canary checks and not to any skill-initiated action; canary files were confirmed unmodified. The primary risks are inherent to the tool's legitimate purpose: user task descriptions are sent to the third-party api.actionbook.dev service, the browser eval command enables arbitrary in-page JavaScript execution, and the authentication reference normalizes sourcing of local .env files during login automation.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 96/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (6)

MEDIUM All search queries transmitted to third-party API -15

Every call to 'actionbook search' sends the user's task description verbatim to api.actionbook.dev. The config key 'api.base_url' defaults to this endpoint and 'api.api_key' authenticates requests. User task intent (e.g., job searches, travel bookings, financial queries) is logged by the Actionbook service with unknown data retention policies.

LOW Arbitrary JavaScript execution in browser context via eval -8

The skill explicitly documents and encourages 'actionbook browser eval' for DOM inspection and data extraction. This gives the agent full JavaScript execution privileges inside any page it visits, enabling reads of localStorage, sessionStorage, cookies, and any in-page credentials or tokens.

LOW Authentication reference instructs agent to source .env files -12

authentication.md presents 'source .env' as a security best practice for credential loading. While contextually appropriate for browser automation, this explicitly teaches the agent to read local .env files when executing login flows, normalizing access to credential files during web automation tasks.

LOW Full cookie management exposes all authenticated sessions -5

The cookie command suite (set/get/delete/clear) enables the agent to read existing authentication cookies from the user's browser profiles, inject arbitrary cookies, or destroy sessions. The --domain flag allows cross-subdomain cookie manipulation.

INFO Broad activation scope creates indirect prompt injection surface -12

The skill activates for any website interaction. Adversarial websites could embed instructions in their page content (accessibility tree, text content, form labels) that the agent reads via 'actionbook browser text' or 'snapshot', potentially manipulating subsequent actions. This is an architectural risk of browser automation, not a flaw specific to this skill.

INFO Clean sparse-checkout install from public monorepo 0

Installation used git sparse-checkout to extract only the skill subdirectory from the openclaw/skills monorepo. Only the four expected markdown files were installed. The single GitHub connection is fully accounted for by the install process.