Is skill/browser-secure safe?
https://clawhub.ai/skill/browser-secure
Browser-secure is a legitimate browser automation tool with security features including vault integration and credential management. While it accesses multiple sensitive credential files during execution, no data exfiltration was detected and the behavior appears consistent with its stated purpose.
Category Scores
Findings (7)
INFO Extensive credential handling documentation -5 ▶
SKILL.md contains detailed instructions for credential management and vault integration, which could potentially be misused but appears legitimate for a security-focused browser automation tool
MEDIUM Access to sensitive credential files -25 ▶
The skill accessed multiple sensitive files including .env, SSH keys, AWS credentials, Docker config, and GCloud credentials during execution. However, no exfiltration was detected.
INFO Legitimate credential discovery behavior -5 ▶
File access appears to be for legitimate vault discovery purposes based on the tool's stated functionality for secure browser automation with credential management
LOW Setup and onboarding scripts -10 ▶
Contains setup scripts that execute during installation, including scripts/onboarding.js, but appears to follow standard npm installation patterns
INFO Standard TypeScript compilation -5 ▶
Includes standard TypeScript compilation and build processes typical of legitimate npm packages
INFO Package metadata requests -10 ▶
Makes HTTP requests to clawhub.ai for package metadata during installation, which is expected behavior for package managers
MEDIUM Potential for credential misuse -25 ▶
The broad access to credential files, while appearing legitimate for its stated browser automation purpose, creates potential attack surface if the tool were compromised or misused