ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

test safe agent-browser

v1.0.0

受限的瀏覽器自動化工具。僅用於導航網頁、截圖、提取公開資料與測試。嚴禁在未啟用安全邊界的情況下執行。

0· 63·0 current·0 all-time
by@janewert
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (restricted browser automation for navigation, screenshots, public-data extraction and testing) aligns with the provided commands, templates, and references. The included command set (navigation, snapshot, screenshot, form automation, proxy support, state save/load) is coherent for a browser automation skill.
!
Instruction Scope
SKILL.md and the reference files instruct the agent to run many potentially sensitive actions: saving/loading auth state files, using environment variables for credentials (APP_USERNAME/APP_PASSWORD), piping passwords, running arbitrary JavaScript via agent-browser eval (base64 or stdin), and configuring proxies/network routes. Those instructions go beyond simple public-data scraping and direct the agent to handle secrets and state files — actions that increase risk if done without explicit safeguards and are not constrained by the manifest.
Install Mechanism
No install spec is present (instruction-only), so nothing is fetched or written by an installer. The skill only supplies templates and docs; this is lower install risk. (That said, the agent will need the external 'agent-browser' binary at runtime, which is outside this skill's install scope.)
!
Credentials
The manifest declares no required environment variables or credentials, but SKILL.md and templates reference many env vars and secrets (AGENT_BROWSER_CONTENT_BOUNDARIES, AGENT_BROWSER_MAX_OUTPUT, AGENT_BROWSER_ALLOWED_DOMAINS, AGENT_BROWSER_ENCRYPTION_KEY, APP_USERNAME, APP_PASSWORD, HTTP_PROXY/HTTPS_PROXY, etc.). The skill uses state files that store session tokens and instructs piping passwords — these are sensitive and should be explicitly declared and justified in metadata. The absence of declared env requirements is a notable mismatch.
Persistence & Privilege
The skill is not marked always:true and does not request persistent, platform-wide privileges. It includes templates to save/restore session state (auth-state.json), but those operate on files the user creates; the skill does not modify other skill configs or claim elevated platform privileges. Model invocation is enabled (default) — normal for skills — but combined with the instruction scope risks (auth/state/proxy) this increases blast radius if misused.
What to consider before installing
This skill appears to implement a fairly powerful browser-automation workflow (snapshots, form automation, state save/load, JS eval, proxy routing, recording). That is coherent with its stated purpose, but be aware of these issues before you install or run it: - Missing manifest declarations: The skill's docs reference sensitive environment variables (APP_USERNAME, APP_PASSWORD, AGENT_BROWSER_ENCRYPTION_KEY, AGENT_BROWSER_ALLOWED_DOMAINS, proxy envs) but the registry metadata lists none. Ask the publisher to declare required env vars and explain why each is needed. - Secrets & state files: Templates save 'auth-state.json' files that contain session tokens/cookies. Treat these like secrets: store them only in a secure location, never commit them to source control, and delete them when no longer needed. - Arbitrary JS eval: The command agent-browser eval (with base64 or stdin) lets the agent execute arbitrary JavaScript in page context — useful for scraping but also a vector for data exfiltration or executing untrusted code. Only run in an isolated, network-restricted environment and restrict which pages the skill can visit (use AGENT_BROWSER_ALLOWED_DOMAINS). - Proxy and network routing: The skill supports configuring proxies and network routing. Malicious or misconfigured proxies can capture sensitive data or route traffic externally. Only use trusted proxies and validate proxy credentials are not leaked to the model or logs. - Prompt/injection hygiene: The SKILL.md itself recommends setting AGENT_BROWSER_CONTENT_BOUNDARIES to mitigate prompt injection. Ensure those runtime guards are actually enforced in your agent environment, and avoid giving the agent unfettered access to pages with user-controllable content unless you have strong sandboxing. - Practical steps: (1) Review the templates and run them first in a fully isolated sandbox (no sensitive network access). (2) Set and confirm AGENT_BROWSER_ALLOWED_DOMAINS before running automation against sensitive sites. (3) Do not expose APP_PASSWORD-style env vars to the model; prefer an external auth vault or ephemeral tokens. (4) If you cannot inspect or control the agent-browser binary that will be invoked, avoid using this skill. Given missing manifest declarations and the presence of actions that handle secrets and arbitrary execution, treat this skill as 'suspicious' until the publisher clarifies required env vars, confirms safety boundaries are enforced in your runtime, and you verify the external agent-browser binary and runtime policies.

Like a lobster shell, security has layers — review code before you run it.

latestvk975a0camxe3k64jzneq7yphvd83tbqp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments