critical
suspicious.dangerous_exec
- Location
- browse.js:130
- Finding
- Shell command execution detected (child_process).
podman-browser
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI01: Agent Goal HijackWhat this means
A malicious or compromised webpage could include text that tries to influence the agent after the page is fetched.
Why it was flagged
The skill intentionally returns webpage content to the agent; webpages can contain prompt-injection text or misleading instructions if the agent later treats the page content as authoritative.
Skill content
Fetch a JavaScript-rendered page and return its text content. ... `--html` - Return raw HTML instead of text
Recommendation
Treat fetched webpage text or HTML as untrusted content and do not follow instructions found inside page output unless the user explicitly asks.
NoteHigh Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
The skill depends on external registries being available and trustworthy when it runs.
Why it was flagged
The tool pulls a remote container image and installs a Playwright npm package at runtime. The versions are pinned by tag/version, but the container image is not pinned by digest and there is no lockfile in the artifact set.
Skill content
const IMAGE = 'mcr.microsoft.com/playwright:v1.50.0-noble'; ... npm install playwright@${PLAYWRIGHT_VERSION}Recommendation
Use this only in environments where pulling from Microsoft Container Registry and npm is acceptable; for stricter environments, pin the image by digest and prebuild or lock dependencies.
NoteHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
Invoking the skill runs local Podman and executes code inside a newly started container.
Why it was flagged
The CLI starts a Podman process and runs a bash command inside the container. This is expected for the browser-container purpose and is disclosed in the documentation.
Skill content
const proc = spawn('podman', podmanArgs, { stdio: ['inherit', 'inherit', 'inherit'] });Recommendation
Install and invoke it only if you are comfortable with the agent launching Podman containers for webpage fetching.
NoteHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
If a browser or container escape vulnerability were exploited by a page, the reduced isolation could increase host exposure compared with a fully sandboxed browser container.
Why it was flagged
The container shares the host IPC namespace and Chromium is launched without its sandbox. This is documented as a Chromium stability choice, but it reduces isolation when browsing untrusted pages.
Skill content
'--ipc=host', ... args: ['--no-sandbox', '--disable-setuid-sandbox']
Recommendation
Prefer trusted or necessary URLs, keep Podman and the Playwright image updated, and consider removing `--ipc=host` or using stronger container isolation if stability allows.