Back to skill

Security audit

osm-ai-bridge

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed browser automation bridge, but it can attach to logged-in browser sessions, inspect browser storage, and hide automation signals, so users should review it carefully before installing.

Install only if you are comfortable giving this skill control over a browser session. Use a dedicated browser profile and separate AI accounts, avoid connecting it to your normal logged-in browser, do not submit secrets or regulated data, and review or delete ~/.openclaw/ai_bridge if you stop using it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises and demonstrates network and shell-capable behavior such as connecting to a browser over CDP and auto-starting Edge, yet declares no permissions. This removes an important trust boundary for users and reviewers, making it easier for a skill with powerful host and browser access to run without informed consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented purpose does not match the effective behavior: the skill emphasizes multi-AI collaboration, but also accesses cookies/localStorage, injects anti-detection logic, and appears to implement only limited hardcoded automation. This mismatch can conceal sensitive data access and browser manipulation behind a benign-looking description, which increases the risk of deceptive deployment and misuse.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code injects stealth and anti-detection JavaScript to hide browser automation by modifying navigator.webdriver, plugins, permissions, WebGL, and chrome properties. In a browser-bridging skill, this is not necessary for basic automation and is a classic evasion capability that can be used to bypass bot detection and conceal automated access to third-party services.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script reads all cookies and LocalStorage entries from the attached browser context even though the Ask workflow does not require collecting or processing that data. This creates unnecessary access to session tokens and sensitive browser state, increasing the risk of credential theft, privacy violations, or later exfiltration if the code is extended or compromised.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The changelog explicitly describes attaching to an already logged-in browser via CDP, reusing session state, and extracting page content, but provides no privacy warning, consent flow, or data-boundary explanation. In this skill context, that is dangerous because CDP access to a live browser can expose cookies, local storage, authenticated content, and other sensitive session data well beyond the intended AI interaction.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The file advertises injection of anti-detection scripts to hide webdriver characteristics without any warning about integrity, compliance, or misuse implications. In this skill's browser-automation context, stealth injection increases the risk of covert interaction with third-party services, evasion of platform defenses, and operation in ways users or site operators would not reasonably expect.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Exposing cookie and localStorage access without a strong privacy warning is dangerous because these stores commonly contain session tokens, identifiers, and other secrets that can enable account takeover or data theft. In this skill's context, browser automation plus CDP access makes retrieval of authenticated browser state especially sensitive.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Automatically launching a browser with remote debugging enabled creates a powerful local control channel that can expose tabs, session state, and browsing actions to any process able to connect. Without a security warning, users may not understand that enabling a debugging port meaningfully weakens local system and browser security.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Injecting anti-detection scripts to hide webdriver traits is a strong abuse signal because it is designed to evade site defenses and conceal automation from services and users. In combination with cookie/storage access and CDP control, this materially increases the likelihood of stealthy account misuse, scraping, or policy-violating automation.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill accesses browser cookies and LocalStorage without any user-facing disclosure, warning, or consent flow. In this context, the hidden access is especially dangerous because the tool attaches to a browser session tied to real accounts, so secret tokens and personal state may be silently exposed during normal use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script performs anti-detection browser modifications without telling the user, concealing that it is altering the browser fingerprint to evade detection by websites. Hidden evasion behavior is dangerous because it removes user awareness and can facilitate unauthorized automation against services that rely on these signals for abuse prevention.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The function automatically sends user-provided topic and viewpoint content to an external AI service through a browser session, but the code provides no consent flow, warning, or data-sensitivity check. In this skill context, the bridge also relies on an already-authenticated browser via CDP, which makes accidental disclosure more dangerous because sensitive internal or personal content could be transmitted to a third party under the user's active session.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.