Is agent-browser-2 safe?

https://clawhub.ai/murphykobe/agent-browser-2

52
CAUTION

This audit is severely limited because the skill installation failed due to rate limiting, leaving no SKILL.md content or source code to analyze. The only artifact is a lock.json referencing a different skill name ('academic-research-hub'). Filesystem monitoring detected access to sensitive files (.aws/credentials, .env, auth-profiles.json) during the install attempt, though this may be platform-level behavior. Without the actual skill content, no assurance can be provided about prompt injection, data exfiltration, or code execution risks.

Category Scores

Prompt Injection 50/100 · 30%
Data Exfiltration 35/100 · 25%
Code Execution 65/100 · 20%
Clone Behavior 55/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 30/100 · 5%

Findings (8)

HIGH AWS credentials accessed during installation -35

The install process opened and read /home/oc-exec/.aws/credentials. While this may be platform-level behavior, credential file access during skill installation is a significant concern that warrants investigation.

HIGH Environment file and auth profiles read during install -30

The installation process read .env, openclaw.json, and auth-profiles.json multiple times. These files may contain API keys, tokens, and authentication credentials.

HIGH Empty SKILL.md prevents security analysis -50

The SKILL.md file is completely empty, providing no skill instructions. This means the skill's actual prompt-level behavior cannot be audited. A skill named 'agent-browser-2' with no visible instructions is suspicious — the actual behavior may be loaded dynamically or injected through other means.

MEDIUM Skill name mismatch in lock.json -25

The lock.json file references 'academic-research-hub' as the installed skill, but the audit target is 'agent-browser-2'. This mismatch suggests either a redirect, a repackaged skill, or stale metadata from a previous installation.

MEDIUM Installation failed — incomplete audit -20

The skill installation failed with 'Rate limit exceeded', meaning the full skill content was never fetched. This audit is based on incomplete evidence. The actual skill code, dependencies, and prompt instructions are unknown.

LOW JIT-compiled modules created in temp directory -15

Multiple .cjs files were created in /tmp/jiti/ during installation, representing JIT-compiled TypeScript modules. These appear to be platform-level (openclaw runtime) rather than skill-specific, but represent code execution during the install process.

INFO No package.json, git hooks, submodules, or symlinks detected -20

The skill repository contains no package.json with install scripts, no git hooks, no submodules, and no symlinks. This reduces the code execution attack surface, though the skill content itself was not fully downloaded.

INFO Browser automation skill with no auditable content -70

A skill named 'agent-browser-2' likely provides browser automation capabilities. If active, this could enable: navigating to arbitrary URLs, interacting with authenticated web sessions, extracting page content, and potentially exfiltrating data through browser-based channels. Without the actual SKILL.md, these risks cannot be confirmed or denied.