Is clulessboy/ds160-autofill safe?

The file scripts/ds160-filler.js is the core execution engine of the skill, loaded and run via browser evaluate (CDP) for every page of form filling. The monitoring system executed 'cat /home/oc-exec/skill-under-test/scripts/ds160-filler.js' but no content appears in the collected evidence. This makes it impossible to verify whether the file performs only form-filling or also reads user data from the page and exfiltrates it through browser network requests, which would be invisible to the agent's tool-level monitoring.

The skill systematically collects and writes to disk the most sensitive categories of personal data governed by immigration law: Social Security Number (three separate fields), passport number, national ID number, date of birth, home address, phone numbers, email, social media handles, parents' names and dates of birth, employment history with salary, and a full security background questionnaire covering arrests, drug abuse, terrorist organization membership, genocide, torture, money laundering, human trafficking, and immigration fraud history. All data is stored in plaintext CSV and JSON in the working directory without encryption.

The skill stores the DS-160 application's security question and its plaintext answer, plus the Application ID (which is the primary resumption credential for the visa application), in ds160/ds160-session.json. Anyone with access to this file can resume the DS-160 application on behalf of the user, view or modify application data, or answer the security challenge. The skill also instructs the agent to report the security question and answer to the user in chat output, creating an additional exposure vector.

All six canary honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCP credentials) were opened and read at two distinct monitoring timestamps. The first set (1771904507.455) is 23ms after monitoring setup and is clearly the monitoring infrastructure's baseline check. The second set (1771904530.078) occurs ~22 seconds after install completion; no EXECVE records in the provided evidence unambiguously attribute this second read to the monitoring system versus a skill-triggered process. No modification or confirmed exfiltration was detected.

The skill's core workflow injects ds160-filler.js into the browser via Chrome DevTools Protocol evaluate. Code running in this context has full access to: the ceac.state.gov DOM and any form data currently filled, cookies and session tokens for all sites in the 'openclaw' profile, localStorage and sessionStorage, browser history within the profile, and the ability to initiate arbitrary XMLHttpRequest or fetch() calls from the browser's network context, which would not be intercepted by the agent's network monitoring layer.

The skill uses LLM vision (image tool) to programmatically solve CAPTCHAs on ceac.state.gov, the US State Department's nonimmigrant visa application system. CAPTCHAs are a deliberate security control to prevent automated access. Bypassing them potentially violates 18 U.S.C. § 1030 (Computer Fraud and Abuse Act) and the DS-160 system's terms of use. This capability could also be misused to automate submission of fraudulent visa applications at scale.

The skill requires all browser operations to use the named profile 'openclaw', which persists authentication cookies and session tokens for ceac.state.gov between skill invocations and potentially across other browser-using skills. A successfully authenticated session to the US visa system would remain active in the profile after the skill completes, accessible to any subsequent skill or agent action that uses the same browser profile.

The skill includes an Important Note stating 'NEVER submit the final form — this is for automation/testing only' and does not include the final submission page in the page sequence. However, this is purely instructional text in SKILL.md — there is no technical mechanism (no disabled button, no code check, no confirmation requirement) preventing an agent from being prompted or socially engineered to click a submit button if one is present on the page.

The skill is installed via git sparse-checkout from github.com/openclaw/skills. The install process was clean with no unexpected network connections, no subprocess spawning outside git operations, and all file writes confined to the skill directory. The skill's content integrity depends on the GitHub repository not being compromised.