ClawAudit verdict

browser-use

88
๐ŸŸข Trusted
No high-risk patterns surfaced by the deep scan โ€” automated capability review, not behavioral proof.

Receives external input AND uses eval

The skill documents standard browser automation CLI commands (navigate, click, screenshot, extract) with no evidence of credential exfiltration, obfuscated eval, or malicious redirection; capabilities like credential_access and dynamic_eval are consistent with legitimate browser automation use.

Automated static analysis โ€” not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.

0
security
50
transparency
70
maintenance

What it does

These are capability combinations: each listed behavior occurs in the skill, but ClawAudit detects co-occurrence โ€” it does not verify that one flows into another. Read the code to confirm a live chain.

Capability combination critical

Receives external input AND uses eval โ€” the remote code-injection pattern (data-flow not verified)

LLM01 ยท LLM05 ยท ASI01 ยท ASI05

Capability combination critical

Encodes data AND uses eval โ€” the obfuscated-execution pattern (atob + eval; data-flow not verified)

LLM05 ยท ASI05 ยท ASI10

Capability combination high

Accesses credentials AND encodes data โ€” may obfuscate stolen credentials

LLM02 ยท ASI03 ยท ASI04

Permission integrity

Code accesses API keys/tokens but declares no environment variables

credential_access

Why the tier is capped

Execution sink present in raw bytes (Hard Floor: class B). Final tier capped at Caution โ€” cannot be lifted by any downgrade, example-payload opt-in, or allowlist.

Permissions & capabilities

No declared permissions โ€” minimal attack surface.

credential_accessdynamic_evaldata_encodingnetwork_in
Check another skill Browse the registry Auditing your own skills or configs? Use the API