Is canbirlik/claw-browser safe?

https://github.com/openclaw/skills/tree/main/skills/canbirlik/claw-browser

79
CAUTION

claw-browser is a Playwright-based web browser skill that does what it claims: it browses URLs, extracts page text, and takes screenshots using a real Chromium instance. The skill code is readable and contains no credential-harvesting logic; canary files were not exfiltrated. However, SKILL.md embeds an 'automatically run setup' directive that causes the agent to self-install pip packages and download ~150MB of Chromium binaries without user confirmation, and the unrestricted --url parameter creates an SSRF vector that could be exploited by adversarial page content or malicious task instructions.

Category Scores

Prompt Injection 70/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (7)

HIGH Embedded auto-execute setup instruction -30

SKILL.md contains the instruction 'If venv does not exist, run this setup command block automatically'. When this skill is injected into the agent's system prompt, this directive causes the agent to autonomously execute a four-step shell sequence (python3 -m venv venv, source venv/bin/activate, pip install -r requirements.txt, playwright install chromium) without presenting a confirmation dialog to the user. This bypasses normal human-in-the-loop controls for potentially expensive or risky operations.

MEDIUM Unapproved download of external browser binaries -20

The auto-setup sequence culminates in 'playwright install chromium', which downloads a full Chromium browser distribution (~150MB) from an external CDN without the user's knowledge or consent. This is a supply-chain dependency on Playwright's distribution infrastructure and triggers significant network I/O without user approval.

MEDIUM Unrestricted URL parameter enables SSRF -20

browser.py takes any URL via --url with no filtering, validation, or allowlist. An agent directed to use this skill could be manipulated (via prompt injection from a webpage or attacker-controlled task) to browse internal network addresses such as AWS metadata endpoints (169.254.169.254), internal APIs, or file:// URIs, and return their content to the conversation context as page text.

MEDIUM Full Chromium browser substantially expands agent attack surface -20

This skill transforms the agent from a text-only tool into one capable of JavaScript execution, authenticated session access, form submission, and interaction with any web resource. In combination with skills that can read or write files, the agent gains a near-complete web exploitation toolkit. Adversarial pages visited via this skill could contain prompt injection payloads that hijack subsequent agent behavior.

LOW Fixed screenshot output path silently overwrites previous evidence -5

All screenshots are written to the hardcoded path 'evidence.png' in the current working directory. There is no configurable output filename or timestamping. This means each screenshot call overwrites the previous one, which could cause unintended data loss or, in a forensic context, destroy prior audit evidence.

LOW Auto-setup pattern normalizes agent self-modification without user consent -10

By establishing 'run automatically if not present' as the setup pattern, this skill conditions the agent to self-install software components without prompting the user. A malicious skill using the same pattern could exploit this conditioning to install arbitrary packages under the guise of dependency setup.

INFO Malformed URL in documentation (authoring error) 0

Example 4 in SKILL.md contains a broken markdown URL 'https://google.com' that would be passed literally (including the brackets) as the --url argument if the agent copied it verbatim. This appears to be a copy-paste authoring error from a markdown renderer rather than an intentional injection attempt.