Agent Browser 技能

Name: ws-agent-browser
Author: fhbillwer

View on ClawHub↗

Share on X Share on LinkedIn Share on Bluesky

100Critical

The skill enables arbitrary JavaScript execution

ThreatsCI SM CS BC S HITL

Behavior Analysis

Description verified — behavior matches claim

Claims to do

Agent Browser 技能: 智能浏览器控制助手。

Actually does

This skill utilizes an internal `browser` tool to perform web automation tasks. It can open specified URLs, take screenshots, click elements, type text, and execute arbitrary JavaScript via `browser_evaluate`. It stores screenshots and scraped data in `/workspace/data/browser/screenshots/` and `/workspace/data/browser/data/` respectively, and configuration in `/workspace/data/browser/config.json`.

Threat Analysis

AI Agent Traps ↗Scanned 4/15/2026

Content InjectionPerception3 findings

Semantic ManipulationReasoning1 finding

Cognitive StateMemory & Learningclean

Behavioural ControlAction6 findings

SystemicMulti-Agent Dynamics1 finding

Human-in-the-LoopHuman Overseerclean

Skill Info

Namefhbillwer/ws-agent-browser

Registryclawhub

Version1.0.0

PURLpkg:clawhub/fhbillwer/ws-agent-browser@1.0.0

Stars9

Downloads6,283

Installs16

Source

Repository ↗

SHA-256bcc3f71babd9...

SHA-10295e0dbafc1...

MD57aa55adb5845...

TLSHb54163fc8c10...

Size2,361 bytes

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

OpenClawDocs

https://clawhub.ai/fhbillwer/ws-agent-browser

6,283 downloads16 installs

ClawHubDocs

openclaw skills install fhbillwer/ws-agent-browser

Assessments (4)

AI Agent Traps ↗

Arbitrary JavaScript Execution via browser_evaluatecriticalcommand execution

The skill exposes a `browser_evaluate` tool, allowing arbitrary JavaScript code execution within the browser context. This can lead to cross-site scripting (XSS), data exfiltration, credential theft, or potential browser sandbox escapes.

100% confidenceline 87

- `browser_evaluate` - 执行脚本

Data Exfiltration and Scraping Capabilitieshighdata exfiltration

The skill's core functionality includes '数据抓取' (data scraping) and '提取网页内容' (extract webpage content), which can be abused to exfiltrate sensitive information from websites, leading to privacy violations or competitive intelligence gathering.

90% confidenceline 30

### 📥 数据抓取
- 提取网页内容
- 表格数据导出

Potential for Credential Harvestinghighcredential harvesting

The skill mentions '登录认证' (login authentication) and provides a `browser_type` tool. This combination could be used to interact with login forms and potentially harvest user credentials if not properly secured or monitored.

80% confidenceline 27

- 登录认证
- `browser_type` - 输入文字

Resource Abuse via Automation and Monitoringmediumresource abuse

Features like '批量操作' (batch operations) and '定时任务' (timed tasks) for '定期监控' (periodic monitoring) could be exploited to launch denial-of-service attacks or exhaust resources on target websites if not rate-limited or controlled.

70% confidenceline 26

- 批量操作
- 定时任务
- 定期监控

File System Write Access for Data Storagemediumpersistence

The skill has explicit write access to `/workspace/data/browser/` for storing screenshots and scraped data. While necessary for its function, this allows the agent to modify the file system, and this data could subsequently be accessed or exfiltrated by other means.

70% confidenceline 80

数据存储:
- 截图/录屏：`/workspace/data/browser/screenshots/`
- 抓取数据：`/workspace/data/browser/data/`

Hardcoded Filesystem Paths Expose Workspace Layoutlowreconnaissance

The skill hardcodes specific workspace directory paths for screenshots, scraped data, and configuration files. This discloses the internal filesystem structure of the agent's workspace environment, potentially aiding an attacker in targeting specific files.

65% confidenceline 86

- 截图/录屏：`/workspace/data/browser/screenshots/`
- 抓取数据：`/workspace/data/browser/data/`
- 配置：`/workspace/data/browser/config.json`

Long base64-encoded blob detected (potential hidden payload)mediumobfuscation

Long base64-encoded blob detected (potential hidden payload)

100% confidenceline 8

304502205c02c1ea86957276d0a274b909a4e0067db9ea8c5ca21de30747310b6f3dfabb022100cc035501daaa6e642da4c69ca11f72efa6fb970a6f5e26f711ebb9e3bf1ed3a9

Long base64-encoded blob detected (potential hidden payload)mediumobfuscation

Long base64-encoded blob detected (potential hidden payload)

100% confidenceline 9

3045022055ff431f1fac57a338871581c0d1ae5acd1b4c945ca1e40c60062b60cae4b531022100dd7076f1dbf9ed9d9cff03cb5b993b4f86f4988d6f289570a12a6eba8ef20409

Suspicious Hardcoded Cryptographic Signatureslowobfuscation

The AIGC metadata block contains two fields 'ReservedCode1' and 'ReservedCode2' with long hex strings resembling DER-encoded ECDSA signatures. The purpose of these values is undeclared and opaque. They could represent watermarking, but their presence as 'reserved' fields with structured cryptographic data warrants scrutiny as potential steganographic or covert channel payloads.

40% confidenceline 9

ReservedCode1: 304502205c02c1ea86957276d0a274b909a4e0067db9ea8c5ca21de30747310b6f3dfabb022100cc035501daaa6e642da4c69ca11f72efa6fb970a6f5e26f711ebb9e3bf1ed3a9
ReservedCode2: 3045022055ff431f1fac57a338871581c0d1ae5acd1b4c945ca1e40c60062b60cae4b531022100dd7076f1dbf9ed9d9cff03cb5b993b4f86f4988d6f289570a12a6eba8ef20409

Scheduled Autonomous Action Without Oversightmediumautonomy abuse

The skill supports '定时任务' (scheduled/timed tasks) and '定期监控' (periodic monitoring), enabling the agent to autonomously perform browser actions on a recurring basis without explicit user confirmation for each execution cycle. This represents unbounded autonomous action.

80% confidenceline 36

- 定时任务 ... 监控：每小时检查这个页面有无更新

Oversight Evasion via Superficial Security Claimslowoversight evasion

The 'Security Notes' section makes reassuring but vague claims ('sensitive operations require confirmation', 'operation logs are traceable', 'follows robots.txt') without any enforced mechanism. These statements may create false confidence in human overseers reviewing the skill, reducing scrutiny of the powerful browser control capabilities being granted.

55% confidenceline 74

- 🔒 敏感操作需要确认
- 📝 操作日志可追溯
- ⚠️ 遵守网站 robots.txt

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/clawhub/fhbillwer/ws-agent-browser.svg)](https://mondoo.com/ai-agent-security/skills/clawhub/fhbillwer/ws-agent-browser)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/clawhub/fhbillwer/ws-agent-browser"><img src="https://mondoo.com/ai-agent-security/api/badge/clawhub/fhbillwer/ws-agent-browser.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/clawhub/fhbillwer/ws-agent-browser.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow