browser-use-init 安全扫描报告 — 可信 | ClawSafe

5 /100

browser-use-init

Chrome DevTools Protocol (CDP) initialization for browser automation using Playwright and browser-use Agent

Legitimate Chrome browser automation skill using CDP protocol with documented subprocess usage for browser process management.

技能名称browser-use-init

分析耗时34.3s

引擎pi

✓

可以安装

This skill is safe for use. No security concerns identified.

安全发现 1 项

严重性	安全发现	位置
低危	Dependencies not version pinned 供应链 SKILL.md shows 'pip install playwright' without version specifier, which could lead to unexpected updates `pip install playwright` → Pin versions for reproducible builds: pip install playwright==1.50.0	`SKILL.md:148`

资源类型	声明权限	推断权限	状态	证据
命令执行	`WRITE`	`WRITE`	✓ 一致	start_chrome.py:58 subprocess.Popen with shell=True for launching Chrome
网络访问	`READ`	`READ`	✓ 一致	All network calls are localhost-only CDP/WebSocket connections
文件系统	`WRITE`	`WRITE`	✓ 一致	Profile copying to custom directory, documented behavior
浏览器	`WRITE`	`WRITE`	✓ 一致	Core purpose - browser automation via CDP protocol

6 项发现

🔗

中危外部 URL 外部 URL

https://www.jd.com/

SKILL.md:68

🔗

中危外部 URL 外部 URL

https://chromedevtools.github.io/devtools-protocol/

references/chrome-cdp-solution.md:209

🔗

中危外部 URL 外部 URL

https://playwright.dev/python/docs/browsers#connect-to-an-existing-browser-instance

references/chrome-cdp-solution.md:210

🔗

中危外部 URL 外部 URL

https://docs.browser-use.com/

references/chrome-cdp-solution.md:211

🔗

中危外部 URL 外部 URL

https://developers.google.com/privacy-sandbox/3pcd

references/chrome-cdp-solution.md:212

🔗

中危外部 URL 外部 URL

https://www.example.com

scripts/playwright_connect.py:17

目录结构

6 文件 · 27.0 KB · 828 行

Markdown 2f · 505L Python 4f · 323L

├─ ▾ 📁 references

│ └─ 📝 chrome-cdp-solution.md Markdown 212L · 8.0 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 playwright_connect.py Python 71L · 2.6 KB

│ ├─ 🐍 query_cdp.py Python 57L · 1.8 KB

│ ├─ 🐍 run_agent.py Python 75L · 2.5 KB

│ └─ 🐍 start_chrome.py Python 120L · 4.1 KB

└─ 📝 SKILL.md Markdown 293L · 8.1 KB

依赖分析 3 项

包名	版本	来源	已知漏洞	备注
`playwright`	`*`	pip	否	Version not pinned
`browser-use`	`*`	pip	否	Version not pinned
`langchain-ollama`	`*`	pip	否	Version not pinned

安全亮点

✓ All shell execution is explicitly documented (kill/start Chrome)

✓ All network requests are localhost-only (CDP/WebSocket debugging)

✓ No base64-encoded commands or obfuscation observed

✓ No credential harvesting or exfiltration detected

✓ No remote script downloads (curl|bash pattern absent)

✓ Profile copying is the documented core feature, not hidden behavior

✓ No access to sensitive paths like ~/.ssh or .env

✓ LLM-driven browser control is clearly scoped to user-provided tasks