Is gostlightai/cdp-browser safe?

https://github.com/openclaw/skills/tree/main/skills/gostlightai/cdp-browser

81
SAFE

This CDP browser automation skill provides legitimate but powerful browser control capabilities including JavaScript execution, screenshot capture, and social media posting. While the code appears well-engineered with security considerations documented, the high-power functionality presents inherent risks if misused.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (6)

HIGH Arbitrary JavaScript execution in browser contexts -20

The eval command allows execution of arbitrary JavaScript code within browser page contexts. While this is legitimate functionality for browser automation, it poses security risks if misused.

MEDIUM Screenshot capability may capture sensitive information -15

The snapshot command takes full-page screenshots which could inadvertently capture sensitive information displayed in browser windows.

MEDIUM Tweet functionality could post unauthorized content -15

The tweet command can post content to X/Twitter using logged-in browser sessions, which could be misused to post inappropriate or sensitive content.

MEDIUM High-power browser automation with abuse potential -20

This skill provides extensive browser control capabilities that, while legitimate for automation, could be misused for unauthorized access to websites or data extraction from logged-in sessions.

LOW Dependency on external Chrome with debugging enabled -10

Requires Chrome/Chromium running with remote debugging port 9222, which exposes additional attack surface if not properly secured.

INFO Well-documented security considerations 0

The skill includes comprehensive security documentation outlining implemented protections and operational considerations.