Browser Automation V2
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches its browser-automation purpose, but it builds shell commands from user-provided URLs, profile names, and form/search text in a way that could run unintended commands.
Install only if you trust the skill and can use it with a dedicated browser profile. Avoid passing untrusted URLs, search terms, form values, or profile names until the scripts are changed to avoid shell-based command construction.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted URL, search query, form value, or profile name could cause the local shell to run commands the user did not intend.
The central command runner uses child_process.exec, which invokes a shell. Other methods build cmd strings from user-controlled values such as URL, text, key, ref, format, timeout, and BROWSER_PROFILE, creating command-injection risk.
exec(cmd, { timeout }, async (err, stdout, stderr) => {Replace exec string commands with execFile/spawn using an argument array, validate allowed values, and escape or reject shell metacharacters in all user-controlled inputs.
If an agent or user passes a maliciously crafted URL, the skill could misuse the local command shell instead of only fetching the intended page.
A user-supplied URL is inserted directly into a shell command. This exposes the OpenClaw CLI through an unsafe command-construction pattern.
exec(`openclaw web_fetch "${url}" --max-chars 10000`, { timeout: 15000 }, (err, stdout, stderr) => {Invoke web_fetch without a shell, pass the URL as a separate argument, and restrict accepted URL schemes to expected web URLs.
The automation may act through a browser profile that is already logged in, so page access, screenshots, PDFs, or form filling could involve private accounts.
The skill relies on a browser profile, which can contain authenticated session state, but the metadata declares no primary credential or config path and the artifacts do not clearly bound what logged-in sites or session data may be used.
Browser profile configured (default: `openclaw`)
Use a dedicated low-privilege browser profile, document that logged-in sessions may be used, and require explicit user confirmation before interacting with authenticated or sensitive sites.
Users may not realize from metadata alone that the skill needs Node/OpenClaw browser CLI access, a gateway, and a browser profile.
The runtime requirements are documented in SKILL.md, but the registry metadata lists no required binaries, environment variables, credentials, or config paths. This is an under-declaration rather than hidden behavior.
- OpenClaw v2026.2.15+ - Browser profile configured (default: `openclaw`) - Gateway running
Declare runtime binaries, optional environment variables, and browser-profile requirements in metadata so users can assess permissions before installation.