Is browsh safe?

The skill wraps browsh + headless Firefox, giving the agent the ability to render and interact with arbitrary web pages. While this is the skill's stated purpose, a full browser engine is a powerful capability that could be leveraged for SSRF, credential harvesting from authenticated sessions, or accessing internal network resources.

The skill suggests adding $HOME/apps and $HOME/apps/firefox to PATH. If an attacker could write to ~/apps before this skill is invoked, they could place malicious binaries named 'browsh' or 'firefox' that would be executed instead of the legitimate tools.

The OpenClaw runtime (not the skill itself) accessed .env, .aws/credentials, .openclaw/openclaw.json, and auth-profiles.json during skill installation. This is standard runtime behavior but is noted for completeness. The skill code contains no instructions to access these files.

SKILL.md contains only standard documentation: prerequisites, PATH setup, and usage examples. No hidden unicode, HTML comments, markdown tricks, persona overrides, or instruction hijacking attempts found.

The skill recommends running browsh in a PTY session (tmux or process tool with pty=true). PTY sessions can have different security properties than standard process execution, potentially enabling escape sequences or terminal injection attacks.

Installation completed with only standard runtime filesystem activity. No network connections, no unexpected processes, no filesystem changes outside expected paths.