diff --git a/src/security/audit-extra.sync.test.ts b/src/security/audit-extra.sync.test.ts
index 0e327abc9bd..90fcfdf6e1e 100644
--- a/src/security/audit-extra.sync.test.ts
+++ b/src/security/audit-extra.sync.test.ts
@@ -57,19 +57,32 @@ describe("safeEqualSecret", () => {
 });
 
 describe("collectSmallModelRiskFindings", () => {
-  const baseCfg = {
+  const browserOffCfg = {
     agents: { defaults: { model: { primary: "ollama/mistral-8b" } } },
     browser: { enabled: false },
     tools: { web: { fetch: { enabled: false } } },
   } satisfies OpenClawConfig;
+  const browserDefaultCfg = {
+    agents: { defaults: { model: { primary: "ollama/mistral-8b" } } },
+    tools: { web: { fetch: { enabled: false } } },
+  } satisfies OpenClawConfig;
 
   it.each([
     {
       name: "small model without sandbox all stays critical even when browser/web tools are off",
-      cfg: baseCfg,
+      cfg: browserOffCfg,
       env: {},
+      detailIncludes: ["web=[off]", "No web/browser tools detected"],
+      detailExcludes: ["web=[browser]"],
     },
-  ])("$name", ({ cfg, env }) => {
+    {
+      name: "treats browser as enabled by default when browser config is omitted",
+      cfg: browserDefaultCfg,
+      env: {},
+      detailIncludes: ["web=[browser]"],
+      detailExcludes: ["No web/browser tools detected"],
+    },
+  ])("$name", ({ cfg, env, detailIncludes, detailExcludes }) => {
     const [finding] = collectSmallModelRiskFindings({
       cfg,
       env,
@@ -78,7 +91,11 @@ describe("collectSmallModelRiskFindings", () => {
     expect(finding?.checkId).toBe("models.small_params");
     expect(finding?.severity).toBe("critical");
     expect(finding?.detail).toContain("ollama/mistral-8b");
-    expect(finding?.detail).toContain("web=[off]");
-    expect(finding?.detail).toContain("No web/browser tools detected");
+    for (const snippet of detailIncludes) {
+      expect(finding?.detail).toContain(snippet);
+    }
+    for (const snippet of detailExcludes) {
+      expect(finding?.detail).not.toContain(snippet);
+    }
   });
 });
diff --git a/src/security/audit-extra.sync.ts b/src/security/audit-extra.sync.ts
index f67f0e41817..45370dea89b 100644
--- a/src/security/audit-extra.sync.ts
+++ b/src/security/audit-extra.sync.ts
@@ -23,7 +23,6 @@ import {
   DEFAULT_DANGEROUS_NODE_COMMANDS,
   resolveNodeCommandAllowlist,
 } from "../gateway/node-command-policy.js";
-import { resolveBrowserConfig } from "../plugin-sdk/browser-config.js";
 import { hasBundledWebSearchCredential } from "../plugins/bundled-web-search-registry.js";
 import { inferParamBFromIdOrName } from "../shared/model-param-b.js";
 import { pickSandboxToolPolicy } from "./audit-tool-policy.js";
@@ -350,11 +349,9 @@ function isWebFetchEnabled(cfg: OpenClawConfig): boolean {
 }
 
 function isBrowserEnabled(cfg: OpenClawConfig): boolean {
-  try {
-    return resolveBrowserConfig(cfg.browser, cfg).enabled;
-  } catch {
-    return true;
-  }
+  // The audit only needs the enablement policy, not full browser runtime
+  // resolution. Browser defaults to enabled unless it is explicitly disabled.
+  return cfg.browser?.enabled !== false;
 }
 
 function listGroupPolicyOpen(cfg: OpenClawConfig): string[] {