Is browser-automation safe?

The skill requires running npm install and npm link but no package.json was included in the audit artifacts. This means the full dependency tree, including any preinstall/postinstall lifecycle scripts, cannot be inspected. An attacker could embed arbitrary code execution in install scripts.

The browser has full network access and can navigate to any URL. Combined with automatic .env file reading for API keys and a persistent Chrome profile that stores cookies and passwords, this creates multiple data exfiltration pathways. The agent could be instructed (or manipulated via web page content) to navigate to an attacker-controlled site with sensitive data encoded in URLs.

Filesystem monitoring shows the installation process read /home/oc-exec/.env and /home/oc-exec/.aws/credentials. While this may be the OpenClaw framework reading its own configuration, these files could contain sensitive secrets. No outbound network connections were observed, but the access itself is concerning.

The skill requests allowed-tools: Bash which grants unrestricted shell command execution. While browser automation legitimately needs shell access to invoke the CLI, this permission allows any shell command, not just the browser command. A prompt injection via web page content could escalate this to arbitrary command execution.

The skill instructs the agent to check .env files for API keys (BROWSERBASE_API_KEY, ANTHROPIC_API_KEY) as part of normal operation. This trains the agent to treat reading credential files as routine behavior, which could be exploited by other skills or prompt injections.

The npm link command creates a globally accessible browser command that persists beyond the skill's directory scope. This means the executable remains available system-wide even if the skill is removed, and could be invoked by other processes or skills.

Chrome is launched with --remote-debugging-port=9222, exposing a CDP endpoint on localhost. Any local process can connect to this port and execute arbitrary JavaScript in the browser context, access cookies, or manipulate page content.

When the agent navigates to a web page and extracts or observes content, malicious page content could contain prompt injection instructions. Since the extracted text is processed by the LLM, an attacker-controlled web page could instruct the agent to exfiltrate data, run shell commands, or modify files.

The .chrome-profile/ directory persists authentication cookies and saved passwords across sessions. If a user logs into a sensitive service during one session, those credentials remain accessible in subsequent sessions and could be replayed.

The installation process created directories and files in /tmp/ (openclaw-1000/ and jiti/). These appear to be OpenClaw framework compilation artifacts rather than skill-specific behavior, but they write outside the skill directory.

CDP download behavior is configured to automatically save all files with no type restrictions. While this is a feature, it could be exploited to download malicious executables.