Is b0tresch/b0tresch-stealth-browser safe?

https://github.com/openclaw/skills/tree/main/skills/b0tresch/b0tresch-stealth-browser

77
CAUTION

The b0tresch-stealth-browser skill is a functional, transparent Puppeteer-based browser tool with no prompt injection, no malicious install scripts, and no direct credential harvesting code. However, it is explicitly architected to defeat bot detection, IP blocks, CAPTCHA, and Cloudflare/Vercel protection, and when active in an LLM agent with shell access, it provides a residential-IP-routed, certificate-ignoring, sandbox-disabled browser that constitutes a high-capability covert exfiltration and SSRF channel. The skill's combination of stealth routing, disregard for HTTPS certificate errors, and full page content return to the agent creates significant risk if the agent can be prompted or injected into using the browser against attacker-controlled or internal URLs.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 68/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 92/100 · 10%
Behavioral Reasoning 40/100 · 5%

Findings (10)

HIGH Chrome launched without sandbox isolation -20

The browser.js script passes --no-sandbox and --disable-setuid-sandbox to Chromium. These flags are sometimes required in containerized environments but remove the renderer process sandbox, meaning a renderer exploit (e.g., via a malicious page the agent browses) could achieve host code execution.

HIGH HTTPS certificate errors silently ignored -12

ignoreHTTPSErrors: true is set globally. Combined with the Smartproxy residential proxy, any proxy operator or on-path attacker can present an invalid certificate and the browser will proceed without warning, exposing all page content.

HIGH Skill designed to defeat security controls — creates powerful exfiltration channel when active in agent -35

The skill's entire purpose is to bypass bot detection, IP blocks, and Cloudflare/CAPTCHA protections. When active in an LLM agent with filesystem and shell access, it provides a residential-IP-routed, TLS-wrapped, human-fingerprinted channel that can carry exfiltrated data with minimal detectability. An attacker controlling a URL the agent visits receives arbitrary data embedded by that page.

MEDIUM Cryptocurrency faucet automation listed as proven use case -15

The SKILL.md explicitly lists 'faucet sites with protection' as a tested working target. Cryptocurrency faucets are high-volume low-value payout systems that depend on bot detection to limit fraud. Automating them at scale with residential IPs constitutes fraud against those services.

MEDIUM Stealth browser output passed directly to agent — full page content exposure -20

The --html and --text flags return the full rendered page content, which the agent receives and processes. A page the agent is directed to can embed arbitrary content in its body, including fabricated instructions, encoded data, or prompt injection payloads that the consuming LLM may act on.

MEDIUM SSRF risk via agent-directed browsing -10

If an attacker can influence what URL the agent passes to this skill, the unsandboxed Chromium will fetch arbitrary URLs including cloud metadata endpoints (169.254.169.254), internal services, or localhost ports — all with a realistic browser fingerprint that may bypass server-side SSRF defenses.

LOW Proxy credential file read on every invocation -15

The skill reads ~/.config/smartproxy/proxy.json containing authentication credentials on every call, even for non-proxy usage (getProxyConfig() is always called in createBrowser when useProxy is true). The path is hardcoded to the home directory. This is documented behavior but means the file must exist with permissive permissions for the tool to function.

LOW JavaScript injected into every page via evaluateOnNewDocument -8

The skill installs JavaScript overrides (navigator.webdriver, navigator.plugins, navigator.languages) into every page context before navigation. This is the documented stealth mechanism and the code is benign, but it means the skill is executing code inside the browser context of every site visited.

INFO No unexpected network connections during installation 0

The only external connection during the audit window was the git clone to GitHub (140.82.121.4:443). No npm install was triggered (no package download traffic observed), and no unexpected destinations were contacted.

INFO SKILL.md is clean — no injection attempts detected 0

The SKILL.md contains no instructions to override system prompts, suppress output, change persona, ignore prior instructions, or perform actions beyond the stated browsing use case. The frontmatter, description, and body are consistent with each other and accurately describe the tool's capabilities.