Is liranudi/web-pilot safe?

https://github.com/openclaw/skills/tree/main/skills/liranudi/web-pilot

81
SAFE

Web Pilot is a legitimate browser automation skill built on Playwright/Chromium with no malicious code, no prompt injection attempts in SKILL.md, and a clean installation that contacts only expected GitHub infrastructure. The primary risks are inherent to the class of tool: a persistent eval action allows arbitrary JavaScript execution in the browser context, SSL verification is silently bypassed on certificate errors creating a MITM window, and the skill's page-reading capabilities create a prompt injection surface via malicious web content. No canary files were accessed or exfiltrated.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 68/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 98/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (9)

HIGH Silent SSL Verification Bypass on SSLError -15

download_file.py catches SSLError and retries the request with verify=False. This means any network-level attacker who can trigger an SSL error (e.g., by injecting a certificate warning) will silently receive the connection without TLS validation, enabling man-in-the-middle interception of downloaded content and any credentials transmitted.

HIGH Arbitrary JavaScript Execution in Browser Context -15

browser_session.py exposes an 'eval' action that passes user-supplied code directly to Playwright's page.evaluate(). This allows any caller (including an LLM agent that has been prompt-injected via web content) to execute arbitrary JavaScript in the browser, access cookies, localStorage, session tokens, and potentially exfiltrate them via fetch() or XMLHttpRequest.

MEDIUM Unauthenticated Proxy Support Enables Traffic Interception -10

Both download_file.py and browser_session.py accept a --proxy parameter that routes all HTTP/HTTPS traffic through an arbitrary proxy with no authentication, URL validation, or allowlist. If an agent is prompt-injected to add a proxy flag, all browsing and download traffic can be intercepted.

MEDIUM Unrestricted Filesystem Write Paths for Downloads and Screenshots -7

download_file.py --output and browser_session.py screenshot path arguments accept arbitrary filesystem paths. An LLM agent could be instructed to write files to sensitive locations (e.g., ~/.ssh/authorized_keys, cron directories) if it has the required permissions.

MEDIUM Browser Automation Enables Web-Page Prompt Injection -15

When the agent reads page content via read_page.py or browser_session extract, malicious web pages can embed natural-language instructions targeting the LLM. The agent may then execute those instructions using the browser's fill/submit/navigate/eval capabilities without user awareness.

LOW Persistent Background Process via os.fork() -8

browser_session.py uses os.fork() and os.setsid() to create a daemonized browser server that persists after the invoking command exits. This process holds an open browser and Unix socket at /tmp/web-pilot-browser.sock and writes a PID file. The process will continue running even after the agent session ends.

LOW Browser-Mediated Prompt Injection Surface -12

The skill provides multiple ways for web content to influence agent behavior: read_page.py and browser_session extract return raw page text directly into the agent's context. Malicious operators of visited web pages can embed LLM instructions in their HTML content.

INFO User-Agent Spoofing 0

All scripts use a hardcoded Chrome/120 User-Agent string to impersonate a real browser. This is standard practice for web scraping but could violate terms of service and complicate incident response attribution.

INFO Automatic Cookie Consent Dismissal 0

The skill automatically dismisses cookie consent banners using heuristic selector and text matching. While user-friendly, this may have legal implications in jurisdictions where explicit consent is required (e.g., GDPR) and removes a privacy control from the user.