Is agent-browser-stagehand safe?

https://clawhub.ai/peytoncasper/agent-browser-stagehand

62
CAUTION

This browser automation skill wraps Stagehand/Playwright CLI and appears structurally benign with no overt prompt injection or malicious code. However, it presents significant indirect risk: the actual source code (package.json and src/) was not available for audit, the browser has unrestricted network access creating a powerful data exfiltration channel, installation accessed .env and AWS credential files, and npm link creates a persistent global command from unverifiable code. The Chrome remote debugging port (9222) also creates a local attack surface.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 50/100 · 25%
Code Execution 45/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 40/100 · 5%

Findings (12)

HIGH Unverifiable source code — package.json empty, src/cli.ts not included -40

The actual executable code that the 'browser' CLI command runs was not included in the evidence bundle. The package.json is empty, meaning we cannot verify what dependencies are installed or what install scripts run. The agent is instructed to blindly run 'npm install' and 'npm link' on unauditable code.

HIGH Browser automation creates unrestricted data exfiltration channel -30

The browser can navigate to any URL including attacker-controlled endpoints. The 'act' command accepts natural language that could encode sensitive data in form submissions or URL parameters. Combined with full localhost/internal network access, this creates a powerful exfiltration vector that bypasses traditional network monitoring.

MEDIUM Skill normalizes reading .env credential files -15

SKILL.md instructs the agent to check .env files for BROWSERBASE_API_KEY and BROWSERBASE_PROJECT_ID. This normalizes credential file access patterns, making it harder for the user to distinguish between legitimate and malicious .env reads.

MEDIUM Installation process accessed .env and .aws/credentials -15

During the clone/install phase, the monitoring detected reads of /home/oc-exec/.env and /home/oc-exec/.aws/credentials. While no outbound network activity was detected (suggesting no immediate exfiltration), accessing AWS credentials during installation is suspicious and unnecessary for a browser automation tool.

MEDIUM npm link creates globally accessible CLI command -15

The setup instructs running 'npm link' which creates a global symlink for the 'browser' command. This modifies the system's global Node.js bin directory, making the command accessible from any directory. If the package contains malicious code, it now has a persistent global entry point.

MEDIUM Persistent Chrome profile accumulates credentials -5

The Chrome browser uses a persistent profile directory (.chrome-profile/) that preserves cookies, saved passwords, and session tokens across runs. Over time this creates a growing credential store that could be targeted by other skills or malicious code.

MEDIUM Chrome remote debugging port exposes local attack surface -10

Chrome is launched with --remote-debugging-port=9222, which allows any process on the machine to connect via CDP and fully control the browser — reading page content, intercepting credentials, injecting JavaScript, and capturing screenshots.

LOW Skill requests Bash tool — maximum capability surface -10

The skill declares 'allowed-tools: Bash' which provides the agent with arbitrary shell command execution. While this is necessary for a CLI-based skill, it means any prompt injection within the skill's context has access to the most powerful tool available.

LOW Setup instructions ask agent to modify setup.json to mark setup as complete -5

The setup flow instructs the agent to edit setup.json to set setupComplete to true. While minor, this teaches the agent to self-modify skill configuration files, which could be exploited by more sophisticated attacks.

LOW Auto-accept downloads with no restrictions -5

CDP is configured to automatically accept all downloads to ./agent/downloads/ with no file type restrictions. This could be used to stage malicious payloads on the filesystem without user interaction.

INFO No hidden text, unicode tricks, or overt injection attempts 0

The SKILL.md, REFERENCE.md, and EXAMPLES.md files contain no hidden unicode characters, HTML comments, invisible text, persona switching, or instructions to ignore previous prompts.

INFO All honeypot canary files intact 0

No canary files (fake .env, SSH keys, AWS credentials) were modified or accessed by the skill.