Openclaw Skill Browser Use

Security checks across malware telemetry and agentic risk

Overview

This is a real browser automation skill, but it needs review because it silently uses local API keys and gives an autonomous browser broad, sensitive capabilities with weak safety disclosure.

Install only in a trusted or disposable environment. Set scoped API keys explicitly, review or remove the /root/.openclaw/openclaw.json credential fallback, avoid using real logged-in accounts unless necessary, and treat saved auth state, cookies, screenshots, PDFs, and recordings as secrets.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (10)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The wrapper automatically reads API credentials from a host-level file under /root and injects them into the process without explicit user consent. In an autonomous browser skill, this is especially risky because it expands the trust boundary from the skill input to host secrets, enabling unintended use of privileged credentials and making secret exposure or unauthorized billing more likely.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The wrapper silently reads API keys from /root/.openclaw/openclaw.json and repurposes them for this skill without explicit user consent. That crosses trust boundaries between unrelated tools and causes credential exposure/use in a browser-automation skill that can navigate arbitrary sites and send prompts/content to external LLM providers.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README advertises autonomous browser actions, session management, cookie/auth-state persistence, and multi-step task execution without any safety guidance about acting on logged-in accounts, submitting forms, or interacting with third-party services. In an agent skill, that omission materially increases the chance that users or downstream agents will perform high-risk actions against real accounts or websites without understanding the consequences.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill documents powerful browser actions including form submission, file upload, screenshots, recording, cookie/storage inspection, and auth-state save/load without warning about privacy, consent, or destructive side effects. In an autonomous browsing context, this omission is risky because an agent may capture sensitive data, replay authenticated sessions, or modify third-party accounts with little operator awareness.

Missing User Warnings

Low

Confidence: 94% confidence
Finding: The example script pulls an API key directly from the environment but provides no warning about secret handling, logging, or downstream exposure to autonomous tooling. While reading a local environment variable is common, in this skill it normalizes credential use inside an autonomous agent workflow that may browse untrusted pages and produce verbose outputs.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The guide instructs users to save and reload authenticated browser state containing cookies and session material, but does not warn that the exported file is effectively a bearer token store. If that file is copied, logged, or left in a shared temporary directory, an attacker may reuse the session to access the authenticated account without credentials.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The autonomous browser example sends task and browsing context to an external LLM provider while sourcing an API key from the environment, but gives no warning about data egress or credential sensitivity. Users may unknowingly expose page content, scraped data, internal URLs, or other sensitive workflow data to a third party service.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script silently loads and exports API keys from a local credentials file with no warning, audit prompt, or indication to the user that host secrets are being consumed. This lack of transparency is dangerous in agent tooling because operators may believe the skill is self-contained while it is actually pulling sensitive credentials from the environment or filesystem.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The script writes a Python program to a predictable path in /tmp and then executes it, while interpolating untrusted task and model data directly into the generated source. This creates a command/code injection surface and also exposes a race/symlink risk typical of unsafe temporary-file handling, which is more dangerous here because the generated code runs with access to API keys and browser automation capabilities.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: Reading API keys from a root-owned configuration file without warning is a sensitive behavior because it harvests secrets outside the skill's own configuration surface. In this context, the skill is an autonomous browser agent, so silently acquiring credentials materially increases the chance of unauthorized external API usage and unexpected data disclosure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal