Dynamic code execution
Critical
- Finding
- Dynamic code execution detected.
PageAgent Browser Enhancement
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill coherently provides browser DOM automation, but it should be reviewed because it can inject code into any page, run arbitrary JavaScript, and operate with browser session privileges.
Install only if you need precise browser automation. Prefer the isolated openclaw browser profile, avoid sensitive logged-in pages unless supervising closely, and require explicit confirmation before arbitrary JavaScript, form submissions, purchases, account changes, or public-facing actions.
Static analysis
Dynamic code execution
Critical
- Finding
- Dynamic code execution detected.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
If invoked on a sensitive site, the skill could read or change page data beyond the safer indexed click/input workflow.
Why it was flagged
The controller evaluates caller-supplied script text in the page context. Combined with the exposed execJS wrapper, this allows arbitrary JavaScript to run on an injected page.
Skill content
const asyncFunction = eval(`(async () => { ${script} })`);Recommendation
Disable or remove the arbitrary execJS/executeJavascript path, or require explicit user confirmation and origin allowlisting before any arbitrary script runs.
What this means
A mistaken or prompt-influenced action could click buttons, fill forms, or trigger side effects on websites the user is logged into.
Why it was flagged
The skill explicitly authorizes broad interactive control on arbitrary web pages, including actions that may submit forms or mutate account data.
Skill content
Injects into any web page ... clicking, typing, scrolling, form filling, or reading page structure.
Recommendation
Use this only with clear user intent, prefer read-only DOM extraction on untrusted pages, and require confirmation before clicks, form submissions, purchases, account changes, or public posts.
What this means
When used with a real Chrome profile, actions may occur under the user's logged-in accounts rather than an isolated test browser.
Why it was flagged
The Chrome profile option can inherit existing browser login/session privileges, while the skill is otherwise described as usable on any web page.
Skill content
Use `profile="openclaw"` for the isolated browser, or `profile="chrome"` for the Chrome extension relay
Recommendation
Prefer the isolated openclaw profile; if using Chrome, limit it to trusted sites and require confirmation before account-changing actions.
What this means
Sensitive information visible on a page can be brought into the agent context, and malicious page text could try to influence later agent actions.
Why it was flagged
The skill intentionally converts web page DOM content into model-readable context, which may include private page data or untrusted page text.
Skill content
content is the LLM-readable simplified HTML with indexed interactive elements
Recommendation
Only use DOM extraction on pages you are comfortable exposing to the agent, and treat all page content as untrusted data rather than instructions.
What this means
Users must trust the bundled controller code as supplied by this package.
Why it was flagged
The skill bundles large browser-controller scripts but lacks registry source and homepage provenance, making independent verification harder.
Skill content
Source: unknown; Homepage: none
Recommendation
Prefer a source-linked release or verify the bundled PageAgent files against the claimed upstream version before installing.