Is chenhg5/browserwing safe?

The skill mandates that the agent call GET /snapshot after every navigation and inject the resulting snapshot_text into its context. Any web page can embed adversarial LLM instructions in accessible text — button labels, ARIA attributes, heading text — that appear in the snapshot and are processed as trusted context by the agent. This creates a direct web-to-agent prompt injection vector with no user interaction required.

The POST /evaluate endpoint allows execution of arbitrary JavaScript within the browser context. An attacker who achieves prompt injection (e.g., via the snapshot vector above) could instruct the agent to execute JS that reads document.cookie, localStorage, sessionStorage, or page form values and exfiltrates them via navigator.sendBeacon or fetch to an external endpoint.

All browser automation routes through the BROWSERWING_EXECUTOR_URL endpoint. If this environment variable is set to an attacker-controlled server — through a compromised deployment environment, a misconfigured container, or another skill that can set env vars — all page content, form submissions, screenshots, and network request logs will be relayed to the attacker. The skill actively instructs the agent to trust this variable unconditionally.

GET /page-content returns the full HTML of any browsed page; GET /page-text returns all visible text; GET /network-requests returns all network requests made by the page. If the agent is directed to sensitive internal services (intranet, admin panels, AWS metadata endpoint), these endpoints can systematically harvest and return all content to the agent conversation or to an external skill.

The skill explicitly documents and encourages full login automation including typing plaintext passwords into form fields. No safeguards, site allowlists, or credential masking are mentioned. An agent operating under this skill can be directed to harvest and replay credentials at arbitrary sites, and the workflow normalizes this pattern as routine.

POST /evaluate provides a fully disclosed pathway to execute JavaScript in the browser runtime. While the skill legitimately documents this capability, it creates a code execution vector exploitable through prompt injection from web page content. The feature is not gated by any permission model.

The skill instructs the agent to unconditionally read and use BROWSERWING_EXECUTOR_URL without any integrity verification. While not itself prompt injection, this design means any mechanism that can set env vars (another skill, deployment misconfiguration) can silently redirect the agent's browser operations to an attacker-controlled endpoint.

Installation cloned from github.com/openclaw/skills.git over HTTPS. This is expected for the monorepo-based install mechanism. The connection was to a known GitHub IP and no other external connections were observed.

Credential canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were accessed at two timestamps during the audit window. Timing analysis indicates these accesses align with the audit framework's own pre-install baseline and post-install verification passes, not with any skill activity. All files remained unmodified.