Is agent-browser-3 safe?

https://clawhub.ai/tekkenKK/agent-browser-3

72
CAUTION

agent-browser-3 is a legitimate browser automation skill that wraps a CLI tool for web testing and interaction. It contains no prompt injection, no malicious install-time behavior, and all canary files remain intact. However, its runtime capabilities are extremely broad — including arbitrary JavaScript execution, cookie/storage access, network interception, proxy routing, and file:// protocol support — creating a significant attack surface if exploited through skill chaining or prompt injection.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (10)

MEDIUM Broad credential access capabilities -20

The skill provides commands to read, set, and export all cookies and browser storage (localStorage, sessionStorage). The state save command serializes all authentication tokens to a JSON file. These capabilities could be leveraged to exfiltrate user credentials from authenticated browser sessions.

MEDIUM Arbitrary JavaScript execution in browser context -15

The eval command allows running arbitrary JavaScript in the browser page context. This can access any DOM content, cookies, storage, and make network requests from the page's origin - enabling data exfiltration through the browser.

MEDIUM Network interception and proxy routing -10

The skill allows intercepting network requests, mocking responses, and routing all traffic through arbitrary proxy servers. An attacker could route traffic through their proxy to capture credentials or inject malicious responses.

MEDIUM Executable shell script templates included -10

Three shell scripts are included as templates. While they appear benign (mostly commented-out examples), they are executable and could be run directly. The scripts themselves don't contain malicious payloads but establish a pattern of shell execution.

MEDIUM Arbitrary JavaScript eval capability -15

The eval command provides a direct code execution path through the browser's JavaScript engine. While scoped to browser context, this can be used to execute complex logic, make fetch requests, or interact with browser APIs.

LOW Broad tool permission scope -10

The skill requests Bash(agent-browser:*) which allows any agent-browser subcommand. While appropriately namespaced, this grants access to all capabilities including eval, network interception, and credential manipulation without per-command granularity.

LOW Eval and file:// protocol could enable indirect attacks -5

The documentation for eval and file:// URL support could be leveraged by a separate prompt injection to instruct the agent to read local files or execute arbitrary code through the browser automation layer.

LOW Sensitive file reads during installation -10

During installation, filesystem monitoring captured reads of .env, .aws/credentials, and .openclaw configuration files. These appear to originate from the openclaw/clawhub framework rather than the skill itself, but were observed during the skill installation process.

INFO Powerful attack surface in skill combination scenarios -55

While benign alone, this skill provides a complete browser automation toolkit that becomes dangerous when combined with prompt injection or malicious co-installed skills. An attacker could chain: open malicious URL -> eval JS payload -> exfiltrate data, or save auth state -> read state file -> send to external endpoint.

INFO No install-time code execution 0

Empty package.json means no npm lifecycle scripts. No git hooks or submodules. The skill is purely documentation and shell script templates.