Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Agent Browser
v0.1.5Browser automation for AI agents via inference.sh. Navigate web pages, interact with elements using @e refs, take screenshots, record video. Capabilities: we...
⭐ 2· 1.5k·2 current·2 all-time
byÖmer Karışman@okaris
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the provided assets: the SKILL.md, command reference, and templates all implement a Playwright-style browser automation flow (open, snapshot, interact, screenshot, execute, close), proxies, file upload, video, and session management. The scripts and examples are consistent with a web-automation/scraping/browser-automation tool.
Instruction Scope
SKILL.md and the templates instruct callers to install and use the external infsh CLI and to run commands that will (by design) fetch page HTML/text, execute arbitrary JS, extract cookies, upload local files, and request session video. Those instructions do not restrict or warn strongly enough that page content, cookies, uploaded files, or recorded video will be transmitted to the inference.sh service. The templates show workflows that handle credentials, TOTP, and cookie extraction (including examples to put passwords into env vars and to extract cookies), which increases the chance of sensitive data being exposed to the remote service or being stored in its sessions.
Install Mechanism
There is no install spec in the skill bundle, but the Quick Start explicitly tells users/agents to run a remote installer: curl -fsSL https://cli.inference.sh | sh and to download binaries from dist.inference.sh. 'curl | sh' is a high-risk pattern because it executes a remote script. The domains used (cli.inference.sh, dist.inference.sh) are not standard well-known installer hosts like GitHub releases; while checksums are referenced, the installer pattern and remote binary download are notable risks and deserve manual verification before use.
Credentials
The registry metadata declares no required environment variables or credentials, which is accurate for the skill package itself. However the included templates and references routinely show using environment variables for APP_USERNAME, APP_PASSWORD, TOTP secrets, proxy usernames/passwords, and passing local file paths (for upload). Those examples imply the skill will accept and transmit sensitive secrets and local files to the remote inference.sh service if provided — this is proportionate to a remote browser automation service but users should be aware that sensitive env vars and local files may leave their machine.
Persistence & Privilege
The skill does not request 'always: true' and has no special platform privileges; autonomous invocation is allowed but that is the platform default. The real-world risk is that if the agent invokes this skill autonomously it could perform remote browser sessions and transmit data without the user noticing — combine autonomous invocation with the ability to capture cookies, page content, files, and video and the blast radius increases. There is no evidence the skill modifies other skills or system-level config.
What to consider before installing
This skill appears to be a legitimate browser-automation wrapper, but take these precautions before installing or using it:
- Understand remote execution: The instructions use the infsh CLI to run sessions on inference.sh — page content, cookies, screenshots, recorded video, and any files you upload will be sent to that service. Do not use it with accounts or pages that contain secrets you cannot share.
- Avoid piping unknown installers into sh: The Quick Start recommends curl | sh from cli.inference.sh and downloads from dist.inference.sh. Manually review the installer, verify checksums from a trusted source, or prefer installing known, auditable clients.
- Be careful with credentials and local files: Templates show passing APP_PASSWORD, TOTP secrets, proxy credentials, and absolute local file paths. Only provide secrets when you understand where they go and are comfortable they will be handled securely.
- Recording/video: Enabling video will capture on-screen sensitive information. Don’t record sessions with credentials or PII unless you control the destination and storage.
- Proxy & scraping guidance: The skill includes examples for rotating proxies and scraping; ensure you comply with site terms of service and legal/privacy requirements.
- If you need more assurance: Ask the publisher for a homepage, source repo, and reproducible installer steps; prefer self-hosted Playwright or a local CLI you control if you must automate sensitive sites.
If you decide to proceed, verify the infsh CLI's authenticity and read its privacy/hosting policy so you know how and where captured data is stored and for how long.Like a lobster shell, security has layers — review code before you run it.
latestvk97ex5qyw9685hv48b3stgya4h81d0j2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.