From ad7cd8f44d6e0616bd23d9693a7d0afb54d62afd Mon Sep 17 00:00:00 2001
From: Nir Zadok <nir.zadok@ox.security>
Date: Thu, 29 Jan 2026 13:03:08 +0200
Subject: [PATCH] fix(security): disable browser.evaluateEnabled by default

BREAKING CHANGE: browser.evaluateEnabled now defaults to false.

The evaluate feature allows arbitrary JavaScript execution in the browser
context via the /act endpoint (kind=evaluate) and wait --fn. This is a
powerful escape hatch for advanced automation but poses security risks:

- Prompt injection: LLM agents can be tricked into running malicious code
- Network exposure: If gateway is accessible, attackers can exfiltrate data
- Session hijacking: Code runs with access to cookies, localStorage, DOM

With this change:
- act:evaluate and wait --fn return 403 by default
- Users who need this feature can enable it explicitly:
  browser.evaluateEnabled: true

Built-in actions (click, type, screenshot, wait for text/URL, etc.) remain
fully functional and cover the vast majority of automation use cases.
---
 docs/gateway/configuration.md | 4 ++--
 docs/tools/browser.md         | 2 +-
 src/agents/skills/config.ts   | 2 +-
 src/browser/constants.ts      | 2 +-
 src/config/types.browser.ts   | 2 +-
 src/hooks/config.ts           | 2 +-
 6 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/docs/gateway/configuration.md b/docs/gateway/configuration.md
index 1d270974d..aca3d1f7a 100644
--- a/docs/gateway/configuration.md
+++ b/docs/gateway/configuration.md
@@ -2769,7 +2769,7 @@ scheme/host for profiles that only set `cdpPort`.
 
 Defaults:
 - enabled: `true`
-- evaluateEnabled: `true` (set `false` to disable `act:evaluate` and `wait --fn`)
+- evaluateEnabled: `false` (set `true` to enable `act:evaluate` and `wait --fn`; disabled by default for security)
 - control service: loopback only (port derived from `gateway.port`, default `18791`)
 - CDP URL: `http://127.0.0.1:18792` (control service + 1, legacy single-profile)
 - profile color: `#FF4500` (lobster-orange)
@@ -2780,7 +2780,7 @@ Defaults:
 {
   browser: {
     enabled: true,
-    evaluateEnabled: true,
+    evaluateEnabled: false,
     // cdpUrl: "http://127.0.0.1:18792", // legacy single-profile override
     defaultProfile: "chrome",
     profiles: {
diff --git a/docs/tools/browser.md b/docs/tools/browser.md
index 084c36bf3..dd4223b8a 100644
--- a/docs/tools/browser.md
+++ b/docs/tools/browser.md
@@ -507,7 +507,7 @@ These are useful for “make the site behave like X” workflows:
 - The clawd browser profile may contain logged-in sessions; treat it as sensitive.
 - `browser act kind=evaluate` / `moltbot browser evaluate` and `wait --fn`
   execute arbitrary JavaScript in the page context. Prompt injection can steer
-  this. Disable it with `browser.evaluateEnabled=false` if you do not need it.
+  this. **Disabled by default for security.** Enable with `browser.evaluateEnabled: true` if needed.
 - For logins and anti-bot notes (X/Twitter, etc.), see [Browser login + X/Twitter posting](/tools/browser-login).
 - Keep the Gateway/node host private (loopback or tailnet-only).
 - Remote CDP endpoints are powerful; tunnel and protect them.
diff --git a/src/agents/skills/config.ts b/src/agents/skills/config.ts
index 57c2f7eca..ee61027f5 100644
--- a/src/agents/skills/config.ts
+++ b/src/agents/skills/config.ts
@@ -6,7 +6,7 @@ import type { SkillEligibilityContext, SkillEntry } from "./types.js";
 
 const DEFAULT_CONFIG_VALUES: Record<string, boolean> = {
   "browser.enabled": true,
-  "browser.evaluateEnabled": true,
+  "browser.evaluateEnabled": false,
 };
 
 function isTruthy(value: unknown): boolean {
diff --git a/src/browser/constants.ts b/src/browser/constants.ts
index e06a7dff8..38b3d63bd 100644
--- a/src/browser/constants.ts
+++ b/src/browser/constants.ts
@@ -1,5 +1,5 @@
 export const DEFAULT_CLAWD_BROWSER_ENABLED = true;
-export const DEFAULT_BROWSER_EVALUATE_ENABLED = true;
+export const DEFAULT_BROWSER_EVALUATE_ENABLED = false;
 export const DEFAULT_CLAWD_BROWSER_COLOR = "#FF4500";
 export const DEFAULT_CLAWD_BROWSER_PROFILE_NAME = "clawd";
 export const DEFAULT_BROWSER_DEFAULT_PROFILE_NAME = "chrome";
diff --git a/src/config/types.browser.ts b/src/config/types.browser.ts
index d8678b80b..06de7f09f 100644
--- a/src/config/types.browser.ts
+++ b/src/config/types.browser.ts
@@ -14,7 +14,7 @@ export type BrowserSnapshotDefaults = {
 };
 export type BrowserConfig = {
   enabled?: boolean;
-  /** If false, disable browser act:evaluate (arbitrary JS). Default: true */
+  /** If true, enable browser act:evaluate (arbitrary JS). Default: false (disabled for security) */
   evaluateEnabled?: boolean;
   /** Base URL of the CDP endpoint (for remote browsers). Default: loopback CDP on the derived port. */
   cdpUrl?: string;
diff --git a/src/hooks/config.ts b/src/hooks/config.ts
index b9b9c0fb2..a059ea0a7 100644
--- a/src/hooks/config.ts
+++ b/src/hooks/config.ts
@@ -6,7 +6,7 @@ import type { HookEligibilityContext, HookEntry } from "./types.js";
 
 const DEFAULT_CONFIG_VALUES: Record<string, boolean> = {
   "browser.enabled": true,
-  "browser.evaluateEnabled": true,
+  "browser.evaluateEnabled": false,
   "workspace.dir": true,
 };