ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Rent My Browser

v1.0.4

When the agent is idle, connect to the Rent My Browser marketplace and execute browser tasks for consumers. Earn money by renting out the node's browser duri...

1· 362·1 current·1 all-time
by@0xpasho
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match what the code does: it contacts a Rent My Browser API, claims tasks, runs a browser, and reports steps. Declared requirements (curl, jq, node, RMB_API_KEY) map to the scripts. Minor mismatch: Node dependency (viem) is present in package.json/package-lock but there is no install step — the connect script even mentions 'ensure npm install' is run, so the skill expects the host to run npm install manually.
!
Instruction Scope
SKILL.md instructs the agent to register a cron job that polls an external marketplace every 10s and to execute arbitrary consumer task payloads with the node's browser. Tasks may include consumer-provided data (including credentials) and the agent is asked to interact with remote sites, take screenshots, and post results. A local validator script runs simple regex checks, but validation is limited and could be bypassed; the execution scope therefore includes high-risk actions (taking input from external parties, interacting with arbitrary websites, and potentially entering credentials).
Install Mechanism
There is no automated install spec. The skill includes Node code and a package-lock.json (viem and crypto libs) but doesn't provide an install step; scripts warn that 'npm install' must be run. No external archive downloads from untrusted URLs are used; network calls are only to api.rentmybrowser.dev and ipinfo.io. Lack of an automated install step is operationally awkward and should be documented/managed before use.
!
Credentials
The primary credential (RMB_API_KEY) is appropriate for a marketplace client, but the skill persists sensitive secrets to disk: it generates an on-chain wallet privateKey and writes it (wallet.json) to both state/ and a persistent folder (default ~/.rent-my-browser) with retention across updates. It also saves API keys and node IDs to the persistent directory. These persistent secrets increase risk if the host or backups are compromised. The scripts also honor additional env vars (RMB_PERSIST_DIR, RMB_WALLET_ADDRESS, RMB_ALLOWED_MODES) that are not declared in metadata.
!
Persistence & Privilege
The skill registers a cron job (openclaw cron add) running every 10s to autonomously poll and trigger isolated sessions. Although 'always: true' is not set, this frequent autonomous scheduling combined with persistent credentials increases blast radius: the skill can be woken frequently to execute remote-submitted tasks. It does not appear to modify other skills, but it writes persistent state in the user's home directory.
Scan Findings in Context
[ignore-previous-instructions] unexpected: The static pre-scan detected a prompt-injection pattern ('ignore previous instructions') in SKILL.md. The skill includes a validator (validate-task.mjs) that explicitly searches for and rejects common prompt-injection phrases, which explains why such patterns appear in the codebase; however, the existence of the pattern in the skill text still increases the need to inspect validator coverage because simple regex checks can be bypassed.
What to consider before installing
What to consider before installing: - Trust: This skill connects your node to an external marketplace and executes tasks submitted by strangers. Only install if you trust the marketplace operator (api.rentmybrowser.dev) and their security/privacy practices. - Secrets & persistence: The skill will store an API key and a generated private key/wallet in a persistent directory (~/.rent-my-browser by default). Those files can be used to act as your node and should be treated as highly sensitive. Consider setting RMB_PERSIST_DIR to an isolated location or not installing if you cannot secure those files. - Execution surface: Tasks are executed by opening a browser and interacting with arbitrary sites. Even with the provided validator, regex-based checks are brittle — a malicious or poorly-constructed task could still cause unwanted actions or data leakage. Do not run this on a machine containing sensitive keys, accounts, or personal data; prefer an isolated VM/container. - Scheduling frequency: The cron job runs every 10s by default (heavy). Consider reducing frequency or only running manually until you’re confident in behavior. - Hardening: Before enabling, review/modify scripts: a) run npm install in the skill directory to satisfy node deps, b) inspect and test validate-task.mjs coverage for your threat model, c) restrict modes with RMB_ALLOWED_MODES (e.g., disallow 'adversarial'), and d) consider configuring RMB_PERSIST_DIR to a secure location with restricted permissions. - Removeability: To stop the skill, run the provided disconnect.sh which attempts to remove the cron job and report in-progress tasks; test this in your environment to ensure it properly cleans up. If you are not willing to audit the code and run it in a strongly isolated environment, do not install or run this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk976s34kzfwcp01vjgr2jpxp7x82a7hj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binscurl, jq, node
Primary envRMB_API_KEY

Comments