ClawAudit verdict
browser-use
Receives external input AND uses eval
The skill documents standard browser automation CLI commands (navigate, click, screenshot, extract) with no evidence of credential exfiltration, obfuscated eval, or malicious redirection; capabilities like credential_access and dynamic_eval are consistent with legitimate browser automation use.
Automated static analysis โ not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.
What it does
These are capability combinations: each listed behavior occurs in the skill, but ClawAudit detects co-occurrence โ it does not verify that one flows into another. Read the code to confirm a live chain.
Receives external input AND uses eval โ the remote code-injection pattern (data-flow not verified)
LLM01 ยท LLM05 ยท ASI01 ยท ASI05
Encodes data AND uses eval โ the obfuscated-execution pattern (atob + eval; data-flow not verified)
LLM05 ยท ASI05 ยท ASI10
Accesses credentials AND encodes data โ may obfuscate stolen credentials
LLM02 ยท ASI03 ยท ASI04
Permission integrity
credential_access
Why the tier is capped
Execution sink present in raw bytes (Hard Floor: class B). Final tier capped at Caution โ cannot be lifted by any downgrade, example-payload opt-in, or allowlist.
Permissions & capabilities
No declared permissions โ minimal attack surface.
credential_accessdynamic_evaldata_encodingnetwork_in Thanks โ recorded.