browser-cash

🔴 HIGH Findings: • COMMAND_EXECUTION (Arbitrary JavaScript Execution)

• Line 59-70 (and 120-131): The skill provides and recommends using node -e "..." to execute JavaScript code. This allows for arbitrary JavaScript execution within the agent's environment. While the example code is benign, the mechanism itself is a powerful command execution vector. The $CDP_URL is derived from an external API response, which could be manipulated by a malicious browser.cash service to inject harmful code into the node -e command.

🟡 MEDIUM Findings: • EXTERNAL_DOWNLOADS (Unverifiable Dependencies)

• Line 30-33 (and 56-58, 117-119): The skill instructs npm install playwright puppeteer-core. These are external dependencies downloaded from npmjs.com. While npmjs.com is generally trusted, the specific packages are not from the "Trusted GitHub Organizations" list, and npm install itself is a mechanism for downloading and executing external code. This introduces a dependency on the integrity of these packages and the npm registry. • DATA_EXFILTRATION (API Key Usage with External Service)
• Line 25, 40, 47, 50, 60, 73, 80, 87, 94, 101, 120, 131: The skill retrieves an API key (BROWSER_CASH_KEY) using clawdbot config get and then uses it in Authorization: Bearer headers for curl requests to https://api.browser.cash. While this is necessary for the skill's functionality and the key is retrieved securely, it means a sensitive credential is being sent to an external, non-trusted third-party service. If browser.cash were compromised or malicious, this key could be exfiltrated.

🔵 LOW Findings: • COMMAND_EXECUTION (General Shell Commands)

• The skill extensively uses curl, jq, cd, npm, node. These are all shell commands. While necessary for the skill's operation, they represent a broad attack surface for command injection if inputs were not properly sanitized. In this skill, inputs like $SESSION_ID and $CDP_URL are derived from the browser.cash API response, making the trustworthiness of that API crucial.