Is antoniocirclemind/smoothbrowser safe?

The smooth CLI configures a built-in proxy for every browser session unless explicitly disabled with --no-proxy. This means all websites visited, credentials entered, forms submitted, and data scraped during agent operation are routed through and logged by smooth.sh infrastructure. The skill documents this as a feature, not a risk, and does not advise users to disable the proxy for sensitive operations.

The smooth upload-file command accepts an arbitrary filesystem path and uploads the file to smooth.sh cloud storage, returning a file_id for use in browser sessions. No path restrictions are documented. An agent following this skill's patterns — or manipulated via prompt injection — could upload SSH keys, .env files, AWS credentials, or any other sensitive file to the vendor's cloud.

The profile system stores cookies, login sessions, and browser state on smooth.sh's servers and retrieves them across future sessions. When the agent authenticates to any third-party service (GitHub, email, banking, SaaS tools), those session tokens are stored externally and subject to access by the smooth.sh operator or any breach of their infrastructure.

The skill description opens with 'PREFERRED BROWSER' in all-caps, a technique intended to influence the LLM to select this skill over alternatives when the user requests browser interactions. This overrides user or system intent to use different browser automation tools and is a soft prompt injection targeting skill routing.

The skill explicitly instructs the agent to save a mapping of authentication profiles to services in the agent's persistent memory. Over time this creates a continuously growing credential directory stored in agent memory and queryable by the skill on future invocations, representing an expanding attack surface.

The skill instructs the agent to run 'pip install smooth-py' to acquire the smooth CLI. This installs a PyPI package with no version pin or hash verification beyond PyPI signing. The package executes arbitrary Python code on install and runtime, and a compromised or malicious smooth-py package could achieve full local code execution.

The smooth evaluate-js command executes arbitrary JavaScript code inside browser sessions that may already be authenticated to sensitive services. This could be used to exfiltrate session data, read page content, or inject malicious scripts into authenticated contexts. An agent receiving injected instructions via web content could chain this capability.

The --metadata flag sends a JSON object containing user data to smooth.sh's remote session infrastructure where it is processed by the vendor's agent. This flag is documented with examples containing email addresses and real names, establishing a pattern of sending PII to the vendor as normal operation.

The skill instructs the agent to proactively remind users to upgrade their smooth.sh subscription when plan limits are reached. This embeds a commercial prompt directly into agent behavior, directing the agent to act as a sales channel for the skill vendor without user direction.

Unlike local browser automation tools (Playwright, Puppeteer), smooth-browser routes all interactions through smooth.sh's cloud. Combined with broad trigger phrases, persistent profile memory, and file upload capability, this skill ensures that over time the smooth.sh operator accumulates a comprehensive record of the agent's web activity, credentials, and data. The cross-skill attack vector is significant: an agent with both filesystem access and this skill installed could be tricked into reading sensitive local files and uploading them via smooth upload-file in a single multi-step task.

Installation contacted only github.com (140.82.121.4:443) as expected for a git sparse-checkout. No unexpected processes were spawned, no files were written outside the skill directory, and no unexpected network connections were established during or after installation.