Personal Agent Browser
Security checks across malware telemetry and agentic risk
Overview
This browser skill has a coherent purpose, but its helper script builds a shell command from the requested URL, which could let a crafted URL run local commands.
Do not install this version unless you are comfortable reviewing and fixing the helper script. At minimum, the author should remove shell interpolation, validate URLs, use execFile/spawn with argument arrays, pin and declare the agent-browser dependency, and correct the privacy claims.
VirusTotal
67/67 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed URL could execute local commands under the user's account instead of only opening a web page.
The URL comes from process.argv[2] and is inserted into a shell command executed by child_process.exec. A crafted URL containing shell metacharacters or command substitution could run commands on the user's machine if the helper is invoked.
const command = `agent-browser --url="${url}" --output=markdown --timeout=10000`; exec(command, { timeout: 15000 }, ...)Replace exec with execFile or spawn using an argument array, validate the URL with a URL parser, allow only expected schemes such as http/https, and reject shell metacharacters.
The actual browsing behavior depends on the separately installed agent-browser package.
The skill depends on a globally installed npm package that is not included or pinned in the reviewed artifacts. This is aligned with the skill's purpose, but the external CLI's behavior and provenance are outside this package review.
必须安装 agent-browser CLI:npm install -g agent-browser
Install the CLI only from a trusted source, pin a known-good version when possible, and declare the required binary in skill metadata.
Users may believe there is no network exposure or external dependency when browsing inherently contacts websites and relies on external CLI code.
The documentation overstates the privacy and dependency posture: the skill fetches arbitrary web pages over the network and requires an external npm-installed CLI.
所有数据仅在你本地机器上处理,安全可靠。... 无外部依赖
Clarify that browsing sends requests to target sites, remove absolute safety claims, and accurately document the external CLI dependency.