browser-plus
Fail
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Found in
scripts/adapters/native-browser.js. The functionsnavigate,snapshot, andcallBrowserToolconstruct shell commands by joining arrays into strings and passing them toexecSync. This pattern allows for command injection if input parameters likeurl,targetId, orrefscontain shell metacharacters (e.g.,;,&,|). - Evidence in
navigate:execSync(openclaw ${args.join(' ')}, ...)whereargsincludes theurlparameter. - Evidence in
callBrowserTool:execSync(openclaw ${args.join(' ')}, ...)whereargsincludes therequestparameter. - [COMMAND_EXECUTION]: Found in
scripts/composite/tweet.js. TheuploadMediafunction usesexecSyncto execute theopenclawCLI and interpolates a JSON string containing themediaPathinto a shell command within single quotes. If themediaPathcontains single quotes, an attacker could break out of the shell quoting to execute arbitrary commands. - [EXTERNAL_DOWNLOADS]: The skill requires external binaries
openclawandagent-browser. The installation scriptinstall.shchecks for these tools and provides guidance on how to install them from their official sources. - [PROMPT_INJECTION]: The skill exhibits a vulnerability to indirect prompt injection by acting on untrusted data from web pages.
- Ingestion points:
nativeBrowser.snapshot()inscripts/composite/tweet.jsandindex.js. - Boundary markers: None; the skill uses webpage attributes like
aria-label,data-testid, androledirectly for logic. - Capability inventory: Subprocess execution via
execSyncandspawnfor browser interactions (click, type, navigate). - Sanitization: No sanitization is performed on data retrieved from the DOM before it is used in automation logic.
Recommendations
- AI detected serious security threats
Audit Metadata