Browser Automation Core

Security checks across malware telemetry and agentic risk

Overview

This is a real browser automation skill, but it gives agents broad control over browsing, form submission, screenshots, and in-page scripts without enough user-facing limits.

Install only if you intend to let agents operate a browser with broad powers. Use a dedicated browser profile, avoid personal logged-in sessions, restrict allowed domains and workflows, replace the realistic sample data, and require explicit approval before submitting forms, running custom scripts, or capturing pages that may contain sensitive information.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (8)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: full_command = ["openclaw", "browser"] + command logger.debug(f"Running command: {' '.join(full_command)}") result = subprocess.run( full_command, capture_output=True, text=True,
Confidence: 81% confidence
Finding: result = subprocess.run( full_command, capture_output=True, text=True, timeout=timeout or self.timeout )

Intent-Code Divergence

Low

Confidence: 85% confidence
Finding: The documentation warns against hardcoding credentials but immediately provides a concrete login example with a real-looking email identifier. Even without a plaintext password, embedding account identifiers normalizes unsafe practices and increases the chance that agents, users, logs, or downstream examples will reuse or expose sensitive account information.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The examples encourage submitting forms, persisting sessions, taking screenshots, and capturing page data without corresponding warnings about consent, privacy, or effects on external systems. In a browser automation skill, this omission materially increases the risk of unauthorized submissions, collection of sensitive data, and retention of session artifacts.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The example embeds realistic personally identifiable information including a full name, email address, phone number, and street address directly in source code, and the workflow then prints and uses that data for browser automation and screenshot capture. Even in an example file, hard-coded PII can be unintentionally committed, redistributed, logged, or captured in screenshots, creating privacy and data-handling risks that are amplified by an automation skill designed to transmit form data to external websites.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: execute_script writes arbitrary script content to a temporary file and then asks the browser CLI to evaluate it, effectively providing a raw code-execution primitive inside the browser context. In an agent skill intended for web automation, this is especially dangerous because untrusted tasks or page content could induce execution of hostile JavaScript that manipulates authenticated sessions, extracts page data, or performs unauthorized actions.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: fill_form serializes user-provided form data to a temporary file on disk without minimization or disclosure, which can persist sensitive information such as credentials, personal data, or competition submissions in local storage. Even though the file is later deleted, temporary files can remain recoverable or accessible to other local processes depending on environment and permissions.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The library stores screenshots in `/tmp/browser_screenshots`, and screenshots may capture credentials, session state, personal data, or proprietary content from automated browser sessions. In an agent automation context, silent local persistence increases the risk of sensitive data exposure to other local processes, users, or later collection workflows.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The file includes real-looking personal data and account-related identifiers in browser automation examples, which could be captured in screenshots, logs, session stores, or reused by agents as defaults. Because this skill explicitly supports capture, form filling, and session persistence, the presence of PII in examples is more dangerous than in ordinary prose documentation.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal