Is browse safe?

The browser-automation sub-skill uses extremely directive language including 'CRITICAL - READ THIS FIRST', 'YOU MUST USE', 'DO NOT use...without --ws', with threat framing ('will fail the evaluation'). This pattern conditions the agent to follow the skill's instructions without question, overriding default cautious behavior. While intended for correct Browserbase usage, the pattern could be replicated by malicious skills.

Skill instructs the agent to run numerous shell commands including pnpm install, pnpm bb dev, pnpm bb publish, curl with POST data, stagehand eval with inline JavaScript, and export of environment variables. This normalizes shell execution as part of the skill's workflow.

The auth sub-skill instructs the agent to solicit user passwords and type them into web forms via shell commands (stagehand fill @ref 'password'). Credentials pass through shell history and process arguments, visible to other processes. The skill also instructs writing API keys to .env files and exporting them as environment variables.

The skill provides patterns for parameterized scraping that accept arbitrary URLs and CSS selectors as input parameters. Combined with the auth skill, an agent could be directed to authenticate to a site and then extract arbitrary data from it, sending results to Browserbase's API.

Skill instructs running 'pnpm install' after initializing projects and modifying package.json. This executes install lifecycle scripts from npm packages, which is a well-known supply chain attack vector. The skill even instructs adding specific package versions and running install.

The skill instructs use of 'stagehand eval' to execute arbitrary JavaScript in a browser context. This can read cookies, local storage, session tokens, and any DOM content from any website the browser is visiting.

Skill instructs deploying TypeScript functions to Browserbase's cloud infrastructure (pnpm bb publish index.ts), creating remotely-invocable functions with API endpoints. This means code written by the agent runs on remote infrastructure.

No suspicious activity detected during skill installation. The skill installed cleanly with only expected filesystem reads.

All honeypot files (.env, SSH keys, AWS credentials) remained intact during the audit. No evidence of automated credential harvesting.

While individually each sub-skill serves a legitimate browser automation purpose, collectively they create a powerful execution engine: shell command execution, credential solicitation, arbitrary web browsing, JavaScript eval, data extraction, and remote code deployment. A malicious companion skill could leverage these capabilities as building blocks for attacks without containing any malicious code itself.

During installation, the environment's own tooling read sensitive files including .env, .aws/credentials, .openclaw/openclaw.json, and auth-profiles.json. While these reads appear to be from the host environment (openclaw/clawhub runtime) rather than the skill itself, they demonstrate that sensitive files are accessible in the execution environment.