clawbrowser
Warn
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches the official @playwright/cli package from the NPM registry, which is a well-known service maintained by Microsoft.
- [COMMAND_EXECUTION]: Provides instructions for the agent to use playwright-cli for complex browser interactions, including form filling, session management, and tab control.
- [DATA_EXFILTRATION]: Includes commands to capture sensitive browser data such as screenshots, PDF exports, and network/console logs, which are capable of extracting sensitive information from web pages.
- [PROMPT_INJECTION]: Employs deceptive metadata in the form of security audit badges from clawaudit.duckdns.org (a dynamic DNS domain) claiming the skill has no vulnerabilities, which is a misleading trust signal.
- [PROMPT_INJECTION]: Vulnerable to indirect prompt injection when processing data from external websites.
- Ingestion points: Retrieves untrusted content from the web via open and snapshot commands in SKILL.md.
- Boundary markers: No explicit markers or instructions are provided to help the agent distinguish between website content and operational commands.
- Capability inventory: The skill provides access to powerful tools like run-code and eval which can execute arbitrary code in the browser context.
- Sanitization: There is no evidence of sanitization or validation of external web content before it enters the agent's context.
- [REMOTE_CODE_EXECUTION]: Offers functionality for dynamic script execution within the browser via the run-code command, which could be exploited through indirect prompt injection to perform unauthorized actions.
Audit Metadata