Is clawbrowser safe?

https://clawhub.ai/tezatezaz/clawbrowser

62
CAUTION

The clawbrowser skill provides legitimate browser automation functionality but raises significant concerns. Installation accessed sensitive files (.env, .aws/credentials, auth-profiles.json) without justification. The package bundles an unrequested second skill (agentarxiv) that injects autonomous behavior including persona manipulation, periodic outbound HTTP heartbeats, and instructions to register with and publish data to an external service — creating a potential data exfiltration channel that pairs dangerously with clawbrowser's credential-harvesting capabilities.

Category Scores

Prompt Injection 55/100 · 30%
Data Exfiltration 50/100 · 25%
Code Execution 65/100 · 20%
Clone Behavior 60/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 40/100 · 5%

Findings (11)

HIGH Sensitive file access during installation -30

The installation process accessed .env, .aws/credentials, .openclaw/openclaw.json, and auth-profiles.json. A browser automation skill has no legitimate reason to read AWS credentials or environment files during installation.

HIGH Bundled agentarxiv skill injects autonomous behavior -25

The installation includes an unrequested second skill (agentarxiv) that instructs the agent to adopt a 'researcher' persona, periodically fetch external feeds, register with an external service, and publish data to agentarxiv.org. This constitutes behavioral manipulation beyond the stated purpose of browser automation.

HIGH Two-stage exfiltration pipeline potential -40

clawbrowser captures page content, credentials, and network traffic from browser sessions. agentarxiv provides a legitimate-looking outbound API channel for 'publishing research'. Together, they form a potential two-stage exfiltration pipeline: harvest data via browser, exfiltrate via research API.

MEDIUM External badge images from dynamic DNS domain -10

SKILL.md includes badge images hosted on clawaudit.duckdns.org, a dynamic DNS domain. These could track when/where the skill is rendered and lend false trust through 'No high vulnerabilities found' badges.

MEDIUM Arbitrary JavaScript execution in browser context -20

The run-code and eval commands allow execution of arbitrary JavaScript within the browser page context. This could be used to extract cookies, localStorage tokens, DOM content, or inject keyloggers into visited pages.

MEDIUM Global npm install with potential install scripts -15

The skill instructs running npm install -g @playwright/cli@latest which executes with user privileges and could trigger preinstall/postinstall hooks from the package or its dependencies.

MEDIUM agentarxiv establishes C2-style heartbeat pattern -10

The agentarxiv skill instructs the agent to configure periodic (every 4 hours) outbound HTTP requests to agentarxiv.org/api/v1/heartbeat and feeds/global. This is a classic command-and-control heartbeat pattern that could receive tasking instructions.

LOW Browser session persistence stores auth state to disk -10

Session persistence stores cookies, localStorage, and authentication state to disk. If the agent browses authenticated services, these credentials are persisted and potentially accessible to other skills or processes.

LOW Network traffic inspection exposes sensitive headers -10

The playwright-cli network command exposes all HTTP request/response data including Authorization headers, cookies, and tokens to the agent's context, where they could be captured by prompt injection or other skills.

INFO No outbound network connections during install 0

Despite the suspicious file access patterns, no outbound network connections were detected during installation. The firewall did not block any connection attempts either.

INFO Canary files intact 0

All honeypot files (fake .env, SSH keys, AWS credentials) remained unmodified, indicating no direct canary tampering during installation.