Back to skill
Skillv2.5.0
VirusTotal security
browserbase-sessions · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:43 AM
- Hash
- 5755218480743eb3df28a76e8da12980dbb955d985a9fcc624debc27da3febe4
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: browserbase-sessions Version: 2.5.0 The skill is classified as suspicious due to a significant JavaScript injection vulnerability in the `execute-js` command within `scripts/browserbase_manager.py`. This command allows arbitrary JavaScript code, provided via the `--code` argument, to be executed directly in the remote cloud browser session using `page.evaluate()`. While this is a feature of browser automation tools, it presents a high-risk attack surface where a malicious agent or user could exploit it to bypass same-origin policy, steal sensitive data from visited websites, or perform other unauthorized actions within the browser context. There is no clear evidence of intentional malicious behavior (e.g., data exfiltration to unauthorized endpoints, persistence mechanisms on the host system, or prompt injection against the OpenClaw agent itself) by the skill's developers, but the vulnerability is critical.
- External report
- View on VirusTotal