Is fengjiajie/browser-use-local safe?

https://github.com/openclaw/skills/tree/main/skills/fengjiajie/browser-use-local

87
SAFE

browser-use-local is a well-scoped browser automation skill for the OpenClaw environment with no prompt injection, no malicious code, and clean install behavior; all canary files remained intact and the clone was a straightforward sparse checkout from the official OpenClaw GitHub monorepo. The primary risk surface is the run_agent_kimi.py script, which combines load_dotenv() with a fully configurable OPENAI_BASE_URL — a standard pattern for OpenAI-compatible tools that nonetheless means workspace secrets and agent context are routed to a user-controlled endpoint. Browser automation's inherent power (arbitrary URL navigation, JavaScript eval, QR code capture) warrants supervision but is consistent with the skill's documented purpose.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (7)

MEDIUM load_dotenv() in run_agent_kimi.py exposes workspace secrets to configurable LLM endpoint -15

run_agent_kimi.py calls load_dotenv() unconditionally before constructing the LLM client. Any credentials stored in a workspace .env file (API keys, tokens, internal URLs) are loaded into the process environment. Because OPENAI_BASE_URL is also drawn from this environment, all LLM API traffic — including the agent task and browser context summaries — is sent to a user-controlled endpoint that could be attacker-controlled.

MEDIUM Fully configurable OPENAI_BASE_URL enables MITM of agent LLM traffic -10

The LLM base URL is drawn entirely from environment variables with no validation or allowlist. An attacker who can influence the container's environment (e.g., via a malicious companion skill or poisoned .env) can redirect all browser-use agent API calls — which include page summaries and task descriptions — to an arbitrary server. This is a standard design for OpenAI-compatible tools but constitutes a meaningful data routing risk in a multi-skill agent environment.

LOW QR code extraction tooling can capture authentication codes from any page -10

Two dedicated scripts (crop_candidates.py and extract_data_images.py) plus explicit SKILL.md instructions provide a complete pipeline for extracting QR codes from browser screenshots and inline HTML data-URIs. While the documented purpose is 'demo/login pages', these tools work on any page. In a compromised agent context, the agent could be directed to navigate to a cloud console or SSO login, capture the QR code, and write it to a location accessible to an attacker.

LOW Raw HTML extraction pipeline exposes agent to web-page adversarial content -8

The SKILL.md workflow pipes raw page HTML through an inline Python script that extracts URLs and prints them back to the agent. A malicious page could embed text designed to look like agent instructions within HTML comments, meta tags, or visible text, causing the agent to act on attacker-supplied directives when those URLs or text are echoed back into the conversation.

LOW Browser eval() provides in-page JavaScript execution surface -8

SKILL.md demonstrates using 'browser-use --json eval' to execute arbitrary JavaScript in the current page context. This is standard browser automation functionality, but if an attacker can inject a task into the agent, arbitrary JavaScript can be run in any page the browser is directed to, enabling DOM manipulation, credential harvesting from autofilled forms, or same-origin API calls.

INFO Install uses standard sparse git checkout from official OpenClaw monorepo 0

The installation script performs a depth-1 clone of github.com/openclaw/skills, sparse-checks out only the target skill path, copies files to the test directory, and removes the clone. All network traffic during install went exclusively to GitHub (140.82.113.4). No unexpected outbound connections, process spawning, or filesystem modifications outside expected paths were observed.

INFO Credential file accesses attributed to OATHE monitoring framework, not skill 0

Files .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json appear in auditd PATH records. All accesses occurred either 5+ seconds before the skill clone began (baseline hash recording) or in a single-millisecond burst after audit completion (post-install verification), both consistent with OATHE monitoring behavior. No network transmission of these files was detected.