bb-browser-openclaw
Warn
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill requires the
bb-browserbinary and utilizes theBash(bb-browser:*)tool to execute arbitrary commands within that tool's namespace. This allows the agent to perform web scraping and system-level operations defined by the binary's capabilities. - [EXTERNAL_DOWNLOADS]: The instruction set includes the command
bb-browser site update, which is described as a way to 'pull community adapters'. These adapters are external logic or configuration files downloaded from a remote source. If these community-contributed files are not subject to a rigorous verification process, they could contain malicious logic that exploits the browser environment or the agent's permissions. - [PROMPT_INJECTION]: The primary function of the skill is to ingest data from a vast array of external websites (social media, news, developer forums, etc.). This content is untrusted and provides a significant surface for indirect prompt injection attacks.
- Ingestion points: Data is entered into the agent's context via the output of
bb-browser sitecommands across various platforms (SKILL.md). - Boundary markers: The instructions do not define any delimiters or system messages to help the agent distinguish between data and potential instructions embedded in the scraped content.
- Capability inventory: The agent has the ability to execute Bash commands via the
bb-browsertool and process the resulting data in its reasoning loop. - Sanitization: There is no evidence of content sanitization, filtering, or validation before the scraped data is processed by the AI.
Audit Metadata