Browser Playwright Bridge
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: browser-playwright-bridge Version: 1.1.0 The `scripts/browser-lock.sh` script contains critical shell injection vulnerabilities. The `CDP_PORT` environment variable, if controlled by an attacker, can lead to arbitrary command execution when used in `curl` commands (e.g., `curl ... "http://127.0.0.1:$CDP_PORT/json/version"`). Similarly, the `CHROME_BIN` environment variable, if controlled by an attacker, can lead to arbitrary command execution when the script attempts to execute the Chrome binary (e.g., `"$CHROME_BIN" ...`). These environment variables are explicitly documented as configurable in `SKILL.md`, making them direct attack vectors. While these are severe vulnerabilities allowing RCE, there is no clear evidence of intentional malicious behavior (e.g., data exfiltration, persistence, or stealth) within the provided files, aligning with a 'suspicious' classification rather than 'malicious'.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A Playwright script could act as you on any website where the shared OpenClaw browser profile is logged in.
The helper launches Chrome with the OpenClaw browser profile, which the docs state contains cookies/login state. This grants scripts access to existing authenticated sessions and is not bounded to particular sites or actions.
USER_DATA_DIR="$HOME/.openclaw/browser/openclaw/user-data" ... --user-data-dir="$USER_DATA_DIR" ... --password-store=basic
Use a dedicated low-privilege browser profile for automation, review scripts before running them, and avoid using this with sensitive accounts unless the task and target sites are explicitly scoped.
If an unsafe or overly broad script is run, it can control the logged-in browser and the helper may also interrupt an existing Chrome session on the CDP port.
The lock manager can stop Chrome processes on the configured CDP port and run any Node script path supplied to it. That is central to the skill, but there is no allowlist or approval boundary for high-impact authenticated browser actions.
kill_cdp_chrome ... node "$@" & ... kill -0 "$pid" 2>/dev/null && kill -9 "$pid"
Only run reviewed scripts from trusted workspace paths, add explicit approval before account-changing actions, and consider restricting the helper to a dedicated CDP port/profile.
The skill depends on local command execution, so it should only be used in workspaces where running helper commands is acceptable.
The template executes fixed local shell commands to discover the CDP port and probe localhost. This explains the static scan finding and appears purpose-aligned, not hidden exfiltration.
const { execSync } = require('child_process'); ... execSync("ps aux | grep 'remote-debugging-port=' | grep -v grep", ...)Keep the command discovery logic fixed, avoid adding user-controlled shell strings, and review modifications to generated Playwright scripts.
A cron job using this helper could keep performing browser actions with your login state after the original setup.
The skill documents scheduled use but does not itself install a cron job. Scheduled authenticated browser automation is still something users should notice.
Use when: ... scheduling browser tasks in cron without CDP conflicts ... In cron tasks, call browser-lock.sh directly
Create scheduled jobs only intentionally, document their purpose, and regularly audit/remove cron entries that use the shared browser profile.
Installing Playwright adds third-party code to the workspace outside the skill's packaged files.
The setup asks for an unpinned npm package install even though there is no install spec. This is normal for a Playwright helper, but users should understand the dependency source.
cd <workspace> && npm install playwright
Install dependencies from trusted registries, consider pinning Playwright versions, and review package-lock changes in sensitive environments.