Is happyfee/openclaw-browser-auto safe?

https://github.com/openclaw/skills/tree/main/skills/happyfee/openclaw-browser-auto

92
SAFE

This skill is a pure markdown configuration guide (written in Chinese) for connecting OpenClaw to a remote Chrome CDP endpoint via Docker or a commercial cloud browser service. It contains no executable code, no prompt injection, no data exfiltration mechanisms, and no install-time side effects beyond writing two static files to disk. The sensitive credential file reads observed in monitoring logs are attributable to the Oathe audit framework's own canary lifecycle rather than the skill, evidenced by their occurrence before the install script ran, their read-only access mode, and the absence of any file-reading capability in SKILL.md.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (5)

LOW Sensitive credential files read during monitoring window (attributed to audit framework) -18

Auditd syscall records and inotify events show read access to ~/.env, ~/.ssh/id_rsa, ~/.aws/credentials, ~/.npmrc, ~/.docker/config.json, and ~/.config/gcloud/application_default_credentials.json. These accesses occurred at epoch 1771924316 (before the install script launched at 1771924322) and again at epoch 1771924341 (after skill files were copied at 1771924335). The identical file set, read-only mode (CLOSE_NOWRITE), and symmetric before/after pattern are consistent with the Oathe canary framework placing and then verifying its own honeypot files. The SKILL.md contains no code, no shell invocations, and no mechanism capable of triggering these reads. All canary files confirmed intact.

INFO Skill authored in Chinese — no functional impact but increases review friction -5

SKILL.md is written in Simplified Chinese. The content is benign browser automation configuration documentation. No hidden instructions were found. The non-English authoring language is noted only because it may slow manual review by operators who cannot read Chinese.

INFO No executable content of any kind -3

The skill is documentation-only. Both files (SKILL.md, _meta.json) are static data. The baseline diff confirms only these two files were written to disk. No scripts, hooks, or executable payloads were introduced.

INFO Documents connection to paid third-party cloud browser service -10

The skill includes an optional configuration block for browserless.io with a placeholder API key token. This is a legitimate commercial service. No automatic connection is established; users must manually configure and insert their own credentials. Benign in isolation but operators should be aware this skill normalises connecting OpenClaw to external browser infrastructure.

INFO Install clones from expected GitHub monorepo; no side-effect network activity -12

The installation connected exclusively to 140.82.121.3:443 (GitHub) to clone the openclaw/skills monorepo and perform a sparse checkout of the target subpath. No DNS lookups to unexpected domains, no connections to attacker infrastructure, and no persistent listeners were left behind. The post-install connection state shows fewer open connections than baseline.