Is admin4giter/tor-browser safe?

https://github.com/openclaw/skills/tree/main/skills/admin4giter/tor-browser

75
CAUTION

The tor-browser skill is a technically clean Playwright-based Tor automation tool with no prompt injection, no credential harvesting code, and a benign installation process. However, its core value proposition — anonymous, unmonitorable browser automation with data extraction and form submission capabilities — makes it a high-value primitive for covert operations if activated under adversarial agent instructions. The combination of Tor routing (defeating egress monitoring), bypass_csp=True (defeating page-level defenses), and base64 screenshot encoding (defeating file-access monitoring) creates a capable covert exfiltration toolkit that is dangerous not because of what it does automatically, but because of what a malicious operator can instruct an agent to do with it.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 35/100 · 5%

Findings (8)

HIGH Tor routing makes all skill-mediated traffic unmonitorable -30

All browser traffic initiated by this skill routes through socks5://127.0.0.1:9050 (Tor). This means any data the agent extracts and submits via fill()/click() to an onion endpoint is encrypted, anonymized, and undetectable by standard enterprise network monitoring, DLP, or firewall egress controls. This is the primary attack surface: not what the skill does during installation, but what it enables an agent to do at runtime.

HIGH Anonymization + data extraction = covert exfiltration primitive -50

The combination of Tor-routed browsing, text extraction (gettext), link enumeration (links), form submission (fill/click), and base64 screenshot encoding creates a complete covert data staging and exfiltration toolkit. A malicious actor controlling agent instructions could direct the agent to read local files via other skills, then use this skill to POST that data to an attacker-controlled .onion service, with no detectable network signature.

MEDIUM bypass_csp=True disables Content Security Policy in browser -20

The Playwright browser context is initialized with bypass_csp=True, which disables Content Security Policy enforcement on all visited pages. This means injected or malicious scripts from visited .onion sites can execute without CSP restrictions — a known vector for browser-based attacks against the agent's local environment if Playwright has any sandbox escapes.

MEDIUM Screenshot base64 encoding is a covert data channel -15

The screenshot() method returns image data as a base64-encoded string when no output path is specified. This can be used to capture rendered page content (including any locally-injected content) and return it to the agent context for subsequent exfiltration. Combined with Tor routing, screenshots of sensitive local files or rendered credentials could be extracted without triggering file-access monitoring.

MEDIUM Proxy parameter accepts arbitrary SOCKS5 URL -8

The --proxy CLI argument and Config.tor_proxy field accept any SOCKS5 URL. An agent instructed with a malicious proxy URL would route traffic through attacker-controlled infrastructure, enabling man-in-the-middle interception of all browsed content and submitted data — without the anonymity properties of Tor, but with full attacker visibility.

LOW Hardcoded .onion URL example in SKILL.md -10

SKILL.md embeds a .onion URL (3g2upl4pq6kufc4m.onion) in multiple code blocks. While this is a DuckDuckGo onion example and poses no direct injection risk, .onion URLs in an agent's system prompt could cause a browsing-capable agent to resolve and navigate to dark web resources during normal task execution if the agent misinterprets documentation as instruction.

INFO Install behavior is clean — GitHub-only connections -15

The installation process performed only the expected GitHub HTTPS connection for sparse monorepo checkout. No unexpected processes were spawned, no files were written outside the skill directory, and no new persistent network listeners were created post-install.

INFO Canary file accesses attributable to audit framework 0

Canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were accessed at audit timestamps 1771928054-55 and 1771928078. Cross-referencing with EXECVE logs, these accesses align with the audit framework's pre-install baseline read and post-install integrity verification, not with any skill code execution. No skill-initiated file reads of sensitive paths detected.