Is stagehand-browser-cli safe?

The browser skill grants the agent ability to navigate to any URL with no domain restrictions. An attacker (or prompt-injected agent) could exfiltrate sensitive data by encoding it in URL parameters and navigating to an attacker-controlled domain. The skill normalizes arbitrary URL navigation as expected behavior.

The .chrome-profile/ directory persists cookies, saved passwords, and session tokens between browser invocations. Any subsequent use of the skill (or any process with filesystem access) can access authenticated sessions without re-authentication. The REFERENCE.md explicitly documents this: 'Saved passwords and cookies persist between sessions'.

The skill setup requires npm install and npm link, which can execute arbitrary pre/post-install scripts. The package.json content was empty in the audit capture, meaning install scripts cannot be verified. npm link creates a globally accessible 'browser' binary that persists beyond the skill directory and survives skill uninstallation.

Chrome is launched with --remote-debugging-port=9222, creating a CDP endpoint accessible to any local process. While Chrome is running, any process on the machine can connect to this endpoint and control the browser, read page content, intercept network traffic, or access cookies.

The skill's environment selection logic reads .env files to check for BROWSERBASE_API_KEY and BROWSERBASE_PROJECT_ID. This normalizes .env access as expected skill behavior, making it harder to detect if the skill also reads other sensitive values from .env files.

EXAMPLES.md Example 4 demonstrates logging into a website by passing username and password as plaintext in browser act commands. This normalizes credential exposure in shell history and agent conversation logs, training the agent to handle credentials insecurely.

The skill declares allowed-tools: Bash with no further restrictions. While necessary for a CLI tool, this grants the agent full shell execution capability within the skill's context, limited only by the agent framework's own sandboxing.

Filesystem monitoring detected an OPEN event on /home/oc-exec/.aws/credentials during the skill installation. While this may be standard SDK behavior (checking for credentials), it is notable that the file was accessed during what should be a simple skill clone operation.

When combined with other skills, this browser skill becomes a potent exfiltration channel. Any skill with prompt injection capability could instruct the agent to use the browser to navigate to an attacker-controlled URL with sensitive data encoded in the request. The browser's legitimate use makes this difficult to distinguish from normal operation.

The CDP download configuration automatically saves all files to ./agent/downloads/ without type restrictions, size limits, or user confirmation. This could be used to download malicious executables or large files.

The browser automation uses Claude Haiku 4.5 as an embedded AI model to interpret natural language actions and extract data from pages. This creates a nested AI call chain (user -> agent -> Stagehand -> Haiku) where prompt injection on visited web pages could influence the inner Haiku model's behavior.