Skills
skills/sundial-org/awesome-openclaw-skills/autofillin/Gen Agent Trust Hub

autofillin

Fail

Audited by Gen Agent Trust Hub on Mar 10, 2026

Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The setup-env.sh script contains a string recommending the user install Node.js via a piped shell script from the nvm-sh repository on GitHub. While this pattern (curl|bash) is a common attack vector, analysis confirms the command is only echoed to the terminal as a suggestion and is never executed by the skill itself.
  • [CREDENTIALS_UNSAFE]: The skill uses a session persistence mechanism that stores browser cookies and authentication tokens in a local file at ~/.playwright-auth.json. While this constitutes sensitive data access, it is a core feature required for the skill's primary function of maintaining logins during automation.
  • [COMMAND_EXECUTION]: Several scripts perform system-level operations to manage the automation environment:
  • The start-chrome.sh script uses pgrep and pkill to manage browser processes.
  • The setup-env.sh script uses lsof to check for port conflicts and kill conflicting processes.
  • The setup-env.sh script dynamically generates a shell launcher script (launch-chrome.sh) and uses chmod +x to set executable permissions.
  • [EXTERNAL_DOWNLOADS]: The setup-env.sh script triggers the download of browser binaries via the npx playwright install command. These downloads come from official Microsoft/Playwright sources, which are well-known and trusted repositories.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface (Category 8) due to its interaction with external web content.
  • Ingestion points: The skill reads page structure and accessibility trees via take_snapshot and navigate_page tools (documented in SKILL.md).
  • Boundary markers: The skill workflow explicitly includes a mandatory 'WAIT FOR MANUAL CONFIRMATION' step, providing a robust human-in-the-loop mitigation against accidental obedience to malicious instructions in web forms.
  • Capability inventory: The skill possesses the ability to click buttons, fill form fields, and upload files within a browser context, as well as executing local management scripts.
  • Sanitization: No explicit input sanitization of web content is performed in the scripts, relying primarily on the manual confirmation step for security.
Recommendations
  • HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.0/install.sh - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 10, 2026, 03:33 AM