Is bodafu/browser-automation-v2 safe?

https://github.com/openclaw/skills/tree/main/skills/bodafu/browser-automation-v2

77
CAUTION

Browser Automation v2 is a functionally legitimate browser automation skill with no evidence of intentional malice, prompt injection, or credential exfiltration during the monitored install window — canary files are confirmed intact and the SKILL.md is clean. However, browser-manager.v2.js contains multiple critical command injection vulnerabilities caused by direct shell string interpolation of unsanitized parameters (type, url, format, limit), creating realistic exploitation paths if an agent processes attacker-controlled content. The combination of unconstrained URL navigation, automatic form-fill without domain verification, and browser-context JavaScript evaluation makes this skill high-risk in adversarial scenarios even absent explicitly malicious code.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 58/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 96/100 · 10%
Behavioral Reasoning 48/100 · 5%

Findings (9)

HIGH Command Injection in type() via Unsanitized text Parameter -30

browser-manager.v2.js type() constructs a shell command by directly interpolating the text argument with no escaping. Any caller-controlled string containing shell metacharacters (semicolons, backticks, $(), etc.) will execute as shell code under the agent's user account. This is trivially exploitable if an agent is directed to fill a form on an attacker-controlled page.

HIGH Command Injection in open() via Unsanitized url Parameter -25

The open() method interpolates the url argument directly into a shell exec string. A URL containing shell metacharacters executes as shell code. Combined with a network-fetch skill or attacker-supplied URL, this can lead to arbitrary command execution.

MEDIUM Command Injection in snapshot(), waitForLoadState(), waitForSelector() -13

Multiple additional BrowserManager methods interpolate caller-controlled parameters (format, limit, state, timeout, ref) directly into shell commands. The snapshot() format parameter is particularly dangerous as it accepts arbitrary strings.

MEDIUM Unsanitized URL in fetch-summary.js web_fetch exec() Call -15

fetch-summary.js constructs an exec() shell command using process.argv[2] as the URL without any validation or escaping. If an agent passes a crafted URL argument, shell injection is achievable from this entry point as well.

MEDIUM Form Auto-Fill Enables Automated Credential Submission to Phishing Pages -22

fill-form.js matches page textboxes by field name keywords and fills them programmatically without any domain verification, URL allowlist, or user confirmation step. An attacker-controlled page that mimics field names (e.g., 'email', 'password', 'username') will receive auto-filled values if the agent navigates there and invokes fill-form.js.

MEDIUM evaluate --fn Pattern Enables Arbitrary Browser-Context JavaScript -20

Both multi-pages.js and fetch-summary.js use the evaluate --fn command to run JavaScript strings in the browser context. Current usage is benign (document.title, document.body.innerText), but the pattern is extensible; an agent instructed to evaluate a different expression could exfiltrate cookies, localStorage, or page credentials.

LOW Pre-Existing External Network Connection During Monitoring Window -5

A connection to 91.189.91.48:443 (Canonical/Ubuntu CDN) was established before skill installation began and closed during the session. This is not caused by the skill but is noted for completeness.

INFO Canary File Reads Attributable to Audit Infrastructure Only -4

Six credential files were opened at audit timestamps 1771733412 (6 seconds before git clone) and again at 1771733434 (after all install EXECVE events). Both read windows are consistent with oathe audit-system baseline capture and post-install verification, not skill code. All opens are CLOSE_NOWRITE; no skill EXECVE record touches these paths.

INFO SKILL.md Is Clean — No Prompt Injection Patterns Detected 0

Full review of SKILL.md found no instruction overrides, no 'ignore previous instructions' directives, no invisible unicode (U+200B, U+FEFF, etc.), no HTML comment tricks, no persona assignments, and no external URLs the agent is told to fetch. The file is standard feature documentation.