Is fast-browser-use safe?

The SKILL.md includes recipes titled 'Bypass Bot Detection via Human Emulation' and 'Login & Cookie Heist' that coach the agent to circumvent security controls and steal session credentials. While these may have legitimate automation use cases, presenting them as named recipes normalizes these behaviors and makes the agent more likely to employ them without user scrutiny.

The evaluate tool allows executing arbitrary JavaScript in the browser context of any page the agent navigates to. This can be used to extract authentication tokens, session IDs, form data, and any other page-accessible data. Combined with the navigate tool, extracted data could be sent to attacker-controlled endpoints.

The skill claims to be a 'DOM extraction' and 'browser automation' tool but includes capabilities for arbitrary JS execution, cookie management, local storage access, session persistence/replay, and human emulation for bot detection bypass. This scope far exceeds what's needed for the stated purpose of 'token-efficient DOM extraction'.

Multiple JavaScript files are embedded into the skill and injected into browser page contexts during DOM extraction and content conversion. While the reviewed code (extract_dom.js, convert_to_markdown.js) appears to perform legitimate DOM analysis and Readability extraction, the pattern of injecting JS into arbitrary page contexts creates an attack surface if these files were modified.

The skill specifies installation via a Homebrew tap (rknoche6/tap/fast-browser-use). Homebrew tap formulae are Ruby scripts that can execute arbitrary code during installation, including downloading and running external binaries. This install vector was not exercised during this audit (ClawHub install was used instead).

Dedicated tools for reading/writing cookies and local storage allow an agent to extract all session data from any origin it visits, persist it to files, and replay it later. This is explicitly demonstrated in the 'Cookie Heist' recipe.

A CODEBUDDY.md file is included that provides detailed architectural guidance for the codebase. While this is a development aid, some agent frameworks may also parse and follow instructions in non-SKILL.md files, potentially expanding the skill's influence on agent behavior.

Filesystem monitoring showed reads of .env, .aws/credentials, .bashrc, .profile, and OpenClaw configuration files. These are attributable to the OpenClaw agent framework bootstrapping process, not the skill itself. However, this demonstrates that sensitive files are accessible in the execution environment.

While this skill alone cannot directly read local filesystem credentials, when combined with skills that have filesystem access, an attacker could chain: (1) filesystem skill reads sensitive files, (2) this skill navigates to attacker-controlled URL with data as parameters, or (3) this skill's evaluate tool posts data to an external endpoint via fetch(). The skill is a powerful exfiltration vehicle in a multi-skill environment.