Openclaw Browser Automation 1.0.1

Security checks across malware telemetry and agentic risk

Overview

This browser automation skill is not clearly malicious, but it needs review because it can automate sensitive web actions while retaining sessions, downloading files, using remote browsing, and installing unreviewed CLI code.

Install only after reviewing the actual npm package/source that npm install and npm link will run. Use this with authorized sites only, remove Browserbase keys unless remote browsing is intended, avoid sensitive accounts, confirm before submitting forms or downloading files, and clear the Chrome profile and agent output folders after use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The examples explicitly demonstrate downloading a file and note that files are automatically written to a local downloads directory, but they do not frame this as a sensitive side effect or require explicit user consent. In an agent skill, silent local writes expand capability beyond simple page interaction and can lead to unreviewed storage of untrusted or sensitive content.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The note says the example uses Chrome's persistent user profile and may preserve session cookies between runs, which can cause cross-task authentication reuse and unintended access to prior sessions. In an automation skill, retained browser state increases the chance of acting under stale or overly privileged authentication without the user's awareness.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The reference explicitly documents persistent browser profiles and a downloads directory, which extend the skill beyond transient website interaction into durable local state and file creation. In an agent context, this increases risk of unintended retention of cookies, tokens, browsing history, and downloaded potentially unsafe files, especially if users expect simple browser automation only.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The documentation states the browser can access localhost and internal networks, creating SSRF-style reachability into services not normally intended by a website-browsing skill. In an agent environment, this materially raises the danger because malicious pages or user prompts could cause interaction with admin panels, cloud metadata endpoints, or other internal resources and exfiltrate sensitive data.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The form-submission example instructs entering personally identifying information and submitting it to a third-party website, but it does not warn that this transmits user data externally. For a browser automation skill, omission of a disclosure/consent step can normalize sending personal information to arbitrary sites without adequate user awareness.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The login workflow demonstrates entering credentials and then highlights use of a persistent profile that may retain session cookies, without a strong warning about credential exposure, stored authentication artifacts, or reuse across runs. This combination materially raises the risk of account compromise, unauthorized continued access, and accidental operations in authenticated contexts.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The download example states that files are automatically saved to a local directory but does not clearly warn users that invoking the example causes a local write of remote content. In an agent context, automatic storage of downloaded files can introduce malware, sensitive-data retention, or disk-use issues if users do not understand the side effect.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: Automatic downloads to a local directory without prominent user-facing warning or consent can result in silent filesystem changes and storage of untrusted content. In this skill, that risk is amplified because the browser automation can be driven by natural language and may visit arbitrary sites, making accidental or induced downloads more plausible.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill silently switches to a remote Browserbase environment whenever API keys are present, without notifying the user that browser activity and potentially sensitive page contents may be transmitted to a third-party service. In a browser automation context, this materially increases privacy and data-handling risk because users may assume interactions are local when they are not.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal