Skills
skills/sundial-org/awesome-openclaw-skills/agent-browser-4/Gen Agent Trust Hub

agent-browser-4

Warn

Audited by Gen Agent Trust Hub on Feb 19, 2026

Risk Level: MEDIUMCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [CREDENTIALS_UNSAFE] (MEDIUM): The documentation and templates demonstrate unsafe credential handling patterns, specifically the inclusion of cleartext usernames and passwords within proxy URLs.
  • Evidence: references/proxy-support.md (line 25) demonstrates export HTTP_PROXY="http://username:password@proxy.example.com:8080".
  • Evidence: references/authentication.md (line 18) includes hardcoded example credentials (password123) which, while intended as placeholders, may be inadvertently used by developers.
  • [DATA_EXFILTRATION] (MEDIUM): The skill implements session persistence by saving sensitive browser state—including session cookies and local storage tokens—to unencrypted local JSON files (auth-state.json). If these files are not properly secured or are accidentally committed to version control, they provide an attacker with full session hijacking capabilities.
  • Evidence: templates/authenticated-session.sh (line 69) and references/session-management.md (line 35) use the agent-browser state save command to create these artifacts.
  • [PROMPT_INJECTION] (LOW): The skill is highly susceptible to Indirect Prompt Injection. It is designed to navigate to arbitrary URLs and extract page structure and text content which is then processed by the agent. This content could contain malicious instructions (e.g., in HTML comments or hidden text) designed to hijack the agent's flow.
  • Ingestion points: templates/capture-workflow.sh (line 19) and templates/form-automation.sh (line 11) using agent-browser open and agent-browser snapshot.
  • Boundary markers: None present; external content is not wrapped or delimited to distinguish it from system instructions.
  • Capability inventory: The skill has powerful capabilities including form filling, file uploads, and session state management which could be abused via injection.
  • Sanitization: No evidence of sanitization or filtering of the HTML/text content retrieved from the browser.
  • [COMMAND_EXECUTION] (LOW): The skill relies extensively on a non-standard external binary agent-browser. While this is the core function of the skill, the execution of external tools to perform network and file operations requires trust in the tool's own security posture.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 19, 2026, 05:03 AM