ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Fast Agent Browser

v1.1.0

Python CLI tool for AI agents to automate web browsers with Playwright, supporting navigation, interaction, snapshots, screenshots, and form handling.

0· 46·0 current·0 all-time
byClawMem.com@leohuang8688
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code: this is a Python CLI wrapper around Playwright for browser automation, which justifies the declared dependencies (playwright, click, etc.). However several docs and contribution notes reference unrelated tooling (CONTRIBUTING.md suggests `npm install -g agent-browser@latest` and Node.js/Click tests reference a click-based CLI) while the provided CLI is a simple Python main() — this inconsistency suggests sloppy packaging or copy-pasted documentation, not aligned with a clean release.
!
Instruction Scope
SKILL.md explicitly instructs running `pip3 install -r requirements.txt` and `python3 agent_browser.py install` (which runs `python -m playwright install`), which will download browser binaries. The runtime instructions and README assert 'All user inputs are sanitized', but the source contains no robust sanitization (e.g., wait() interpolates text directly into a JS string). SKILL.md also contains a pre-scan 'unicode-control-chars' prompt-injection signal. The docs encourage saving/loading persistent profiles (filesystem paths) which could expose local files if implemented; the actual code has many TODOs/NotImplemented and some truncated/buggy sections, meaning behavior may be incomplete or unpredictable.
Install Mechanism
There is no formal install spec in the registry; SKILL.md asks users to pip-install requirements and run Playwright's browser installer. That will download binary browser artifacts from Playwright's distribution hosts — expected for this functionality but networked and writes files to the user's environment. The repository does not pull code from unknown external URLs, but running the Playwright installer and pip on untrusted code should be treated as potentially risky.
Credentials
The skill declares no required environment variables or credentials, which is proportionate for a local browser automation tool. The docs reference persistent profiles and saving state to disk (paths like ~/.myapp-profile), which could read/write user files if implemented; the current code has limited or missing implementation for these features, so there is no explicit credential demand, but file access is possible via normal CLI usage (screenshots, saved state).
Persistence & Privilege
The skill does not request always:true or other elevated persistent privileges. It runs as a normal user-level CLI and will only be active when invoked. The CLI 'install' command runs Playwright's installer (downloads browsers), but that is normal for Playwright usage and not an autonomy privilege within the platform.
Scan Findings in Context
[unicode-control-chars] unexpected: The SKILL.md pre-scan detected unicode control characters (a common prompt-injection technique). This is not expected for straightforward CLI docs and could be an attempt to manipulate LLM parsing or evaluation. Even if benign, it warrants manual inspection of the SKILL.md and other textual files for hidden characters or obfuscated instructions.
What to consider before installing
What to consider before installing or running this skill: - Code/Docs mismatch: The repository mixes Python CLI code with docs that reference Node/npm and a Click-based CLI; tests also import a click CLI that doesn't exist. This suggests the package may be copy-pasted or incomplete. Don't assume the documentation accurately describes runtime behavior. - Review the source locally before running installs: pip will install dependencies and Playwright's 'install' step will download browser binaries from the network. Inspect requirements.txt and agent_browser.py (which shells out to `python -m playwright install`) and run these steps in an isolated environment (container, VM, or dedicated sandbox) first. - Prompt-injection signal: The SKILL.md contained unicode control characters flagged by a scanner. Open the file in a hex/visible-character viewer and remove or inspect any hidden characters before using it; treat the docs as potentially manipulated. - Input handling is not proven: The README claims inputs are sanitized, but the code shows direct interpolation into page scripts (e.g., wait() uses document.body.innerText.includes('{text}')). This is a bug and could break for special input; avoid passing secrets or sensitive data into the skill until sanitization/escaping is confirmed. - File access and persistent state: The docs mention saving/loading state and profiles (filesystem paths). If you will use these features, verify the implementation path and ensure it won't overwrite or read unexpected user files. Prefer specifying explicit paths to dedicated directories. - Run in a sandbox first: Execute the install and some basic commands (open a known site, take a screenshot) in an isolated environment, and watch for unexpected network traffic or attempts to access unrelated files. - When in doubt, ask the publisher for provenance: The skill's source/homepage is unknown and owner metadata is opaque. If you need this skill for production use, request a release from a known repository or a maintainer with verifiable identity. If you want, I can point out the exact lines in the code that are inconsistent or unsafe (e.g., the wait() JS interpolation, truncated/unfinished code paths, and the locations of the prompt-control characters) so you can inspect or patch them prior to running.
src/browser.py:398
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9734v1hsbjracn26ycc9fz2r983mftt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments