critical
suspicious.dangerous_exec
- Location
- scripts/install-host.mjs:24
- Finding
- Shell command execution detected (child_process).
FSB Skill
AdvisoryAudited by Static analysis on May 12, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
The skill can act inside websites where the user is already logged in and can prepare credential or payment flows using browser-stored state.
Why it was flagged
This gives the agent access to the user's existing browser identity and account sessions, which is high-impact even though it is disclosed and purpose-aligned.
Skill content
FSB drives the user's real Chrome, so every action runs inside whatever sessions, cookies, and saved auth that browser already holds.
Recommendation
Use a dedicated browser profile or only install if you trust the FSB extension and MCP bridge with your logged-in sites; confirm sensitive actions carefully.
ConcernHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
A mistaken or over-broad JS action could click or alter page state in a logged-in session before the agent fully understands the page.
Why it was flagged
The skill encourages a raw JavaScript escape-hatch in live browser pages, including clicks, which can bypass safer typed interaction paths if used carelessly.
Skill content
`execute_js` is a first-class interaction tool in FSB... "try execute_js FIRST" for clicks, scrolls, reads, and attribute lookups
Recommendation
Prefer typed tools for sensitive flows, verify page state after JavaScript actions, and require explicit user confirmation before any final submission or account-impacting action.
NoteHigh Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
Future npm package updates could change the bridge that controls the browser.
Why it was flagged
The MCP bridge is fetched from npm and defaults to the latest version, which is disclosed but means behavior can change without re-review unless the user pins a version.
Skill content
By default, `npx -y fsb-mcp-server` resolves to the latest published bridge... If you prefer review-before-upgrade, pin a release
Recommendation
Pin a reviewed fsb-mcp-server version if you want stable, review-before-upgrade behavior.
NoteHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
Running the doctor or installer will execute the fsb-mcp-server package on the user's machine.
Why it was flagged
The diagnostic script executes an external npm package through npx. This is documented and aligned with setup/diagnostics, but it is still local code execution.
Skill content
const child = spawn('npx', ['-y', 'fsb-mcp-server', 'doctor'], {Recommendation
Run these commands only from a trusted environment and consider pinning the package version.
NoteMedium Confidence
ASI07: Insecure Inter-Agent CommunicationWhat this means
Live page content and browser actions may pass through the local MCP bridge while tasks run.
Why it was flagged
Browser commands and page reads are routed through a local extension/bridge architecture. This is expected for the skill, but it is a sensitive communication path.
Skill content
FSB drives the user's real Chrome via the FSB extension and a local MCP bridge
Recommendation
Install only if you trust the local bridge and extension; keep them updated or pinned to reviewed versions.