The Agent Skills Directory

COMMAND_EXECUTION (HIGH): The wrapper script scripts/browser-use-agent.sh (and the version installed by install.sh) generates a Python script at runtime by injecting the user-provided $TASK variable directly into a triple-quoted string (task="""$TASK"""). This is a classic injection vulnerability; an attacker or a malicious upstream agent could provide a task string containing """ to break out of the string and execute arbitrary Python code on the host system.
CREDENTIALS_UNSAFE (HIGH): The skill's scripts explicitly attempt to read sensitive API keys from /root/.openclaw/openclaw.json. This is a dangerous practice that either requires the agent to run with root privileges or grants the skill access to system-wide credentials that should be protected by the host environment.
Indirect Prompt Injection (HIGH): As a browser-based agent skill, it processes untrusted content from the open web. Per Category 8, because the skill has high-privilege capabilities (executing shell commands, writing to /tmp, and managing credentials), the lack of strict sanitization or boundary markers for the data ingested by the browser-use agent creates a significant risk where malicious websites could take control of the agent's execution flow.
EXTERNAL_DOWNLOADS (MEDIUM): The install.sh script downloads and installs multiple third-party packages from npm (agent-browser) and PyPI (browser-use, langchain-anthropic, langchain-openai). These are not from the defined list of trusted sources and represent a supply-chain risk.
COMMAND_EXECUTION (MEDIUM): The agent-browser tool includes an eval command that allows the execution of arbitrary JavaScript within the browser context. While standard for automation, it increases the attack surface if used with untrusted input.

Browser Use