ClawHub

browserbase-sessions

Security checks across malware telemetry and agentic risk

Overview

This looks like a real Browserbase session-management skill, but it needs review because it preserves logged-in browser state and includes an unexpected ChatGPT/Suno automation script.

Install only if you intentionally want persistent Browserbase automation over logged-in cloud browsers. Use a dedicated Browserbase project/key, isolate workspaces per site or task, disable recording/logging/CAPTCHA solving when not needed, avoid exporting cookies unless absolutely necessary, stop sessions and delete contexts when finished, and review or remove scripts/dedication_automation.mjs if you do not want ChatGPT/Suno account automation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill exposes substantial capabilities—environment access, file read/write, network, shell, and MCP-driven browser control—without declaring permissions. That weakens user visibility and policy enforcement, increasing the chance an agent can access secrets, persist state, or interact with external systems in ways the operator did not explicitly authorize. In this context, the risk is elevated because the skill is specifically designed to handle authenticated browser sessions and local workspace files.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill includes local dependency installation and subprocess execution that go beyond the advertised browser-session management purpose. In an agent setting, this broader capability increases attack surface because a caller can trigger local environment modification and execution paths not necessary for normal browser automation.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The execute-js command allows arbitrary JavaScript execution inside authenticated browser sessions, which is a powerful capability not clearly reflected by the high-level description. In context, this can access sensitive page data, manipulate workflows, and perform arbitrary in-session actions on behalf of a logged-in user or workspace.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The get-cookies command returns all cookies from the browser context, including authentication/session tokens, which materially exceeds simple session management. In this skill's context of persistent authenticated browser sessions, exposing cookies is especially dangerous because it can enable account hijacking or replay of authenticated state outside the browser.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This script materially exceeds the stated skill purpose of Browserbase session management by automating ChatGPT prompt submission and Suno song creation using persisted authenticated browser contexts. That mismatch is dangerous because it can hide undisclosed third-party actions performed under a user's logged-in sessions, increasing the risk of unauthorized use, data disclosure, and abuse of external accounts.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code contains dedicated logic to navigate to ChatGPT and Suno, submit user content, detect login state, fill forms, and trigger song generation, which is unrelated to the advertised session-management function. In a skill ecosystem, this kind of hidden expanded capability is dangerous because it enables covert use of stored authenticated sessions to act on external services beyond what users and reviewers would reasonably expect.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README states that session recording and rrweb event retrieval are enabled by default, but it does not prominently warn that sensitive on-screen data, credentials, personal information, and user actions may be captured and retained. In an agent-operated browser skill, this increases privacy and compliance risk because operators may use it on authenticated sessions without realizing recordings are being created and retrievable.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README advertises automatic CAPTCHA solving enabled by default without warning that bypassing anti-bot controls may violate site terms, trigger account restrictions, or create legal and abuse risks. In a browser automation skill, default-enabled CAPTCHA solving materially lowers friction for accessing protected flows and can be misused against services that rely on CAPTCHA as a defensive control.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The reference explicitly documents session logs, rrweb recordings, downloadable files, and non-expiring persistent contexts, but provides no warning about sensitive data capture, retention, or consent requirements. In a skill designed to preserve authenticated browser state, these features materially increase the chance of collecting cookies, page contents, credentials, or personal data without operators understanding the privacy implications.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The cookie extraction feature returns sensitive authentication material without any user-facing warning, masking, or approval checkpoint. Because this skill is designed to preserve logged-in sessions, silent cookie export makes secret exfiltration easier and increases the chance of misuse by downstream agents or prompts.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script loads Browserbase API credentials from environment variables and enables recordSession and logSession while also using persistent contexts that may contain authenticated cookies. Without clear disclosure or minimization, this can capture sensitive browsing activity, account data, and session artifacts in logs or recordings, creating privacy and credential-handling risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script sends user-supplied dedication text and related metadata to ChatGPT and then to Suno, but the file provides no explicit disclosure, consent flow, or data-handling notice for those external transfers. In the context of a skill advertised as session management, this is more dangerous because users may not expect their input to be forwarded to multiple third-party services under authenticated sessions.

Session Persistence

Medium
Category
Rogue Agent
Content
This skill gives the OpenClaw agent the ability to:

- **Create cloud browser sessions** via Browserbase's infrastructure
- **Persist authentication** across sessions using Contexts (cookies, local storage,
  session storage are saved and restored automatically)
- **Use workspaces for persistence** — a workspace ties together a Context + active session id
Confidence
84% confidence
Finding
Create cloud browser sessions** via Browserbase's infrastructure - **Persist authentication** across sessions using Contexts (cookies, local storage, session storage are saved and restored automatic

Session Persistence

Medium
Category
Rogue Agent
Content
---
name: browserbase-sessions
description: Create and manage persistent Browserbase cloud browser sessions with authentication persistence. Use when you need to automate browsers, maintain logged-in sessions across interactions, scrape authenticated pages, or manage cloud browser instances.
license: MIT
homepage: https://docs.browserbase.com
metadata: {"author":"custom","version":"2.5.0","openclaw":{"emoji":"🌐","requires":{"bins":["python3"]},"primaryEnv":"BROWSERBASE_API_KEY"}}
Confidence
85% confidence
Finding
Create and manage persistent Browserbase cloud browser sessions with authentication persistence. Use when you need to automate browsers, maintain logged-in sessions across interactions, scrape authent

Unpinned Dependencies

Low
Category
Supply Chain
Content
browserbase>=1.4.0
playwright>=1.40.0
Confidence
91% confidence
Finding
browserbase>=1.4.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
browserbase>=1.4.0
playwright>=1.40.0
Confidence
91% confidence
Finding
playwright>=1.40.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal