Skillv1.0.4

ClawScan security

Rent My Browser · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 5, 2026, 8:02 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is coherent with its stated purpose (renting out a browser) but has several concerning behaviors — autonomous frequent polling, persistence of a generated private key and API credentials to disk, and execution of consumer-supplied tasks — that increase risk unless you fully trust the marketplace operator and audit the code.
Guidance: What to consider before installing: - Trust: This skill connects your node to an external marketplace and executes tasks submitted by strangers. Only install if you trust the marketplace operator (api.rentmybrowser.dev) and their security/privacy practices. - Secrets & persistence: The skill will store an API key and a generated private key/wallet in a persistent directory (~/.rent-my-browser by default). Those files can be used to act as your node and should be treated as highly sensitive. Consider setting RMB_PERSIST_DIR to an isolated location or not installing if you cannot secure those files. - Execution surface: Tasks are executed by opening a browser and interacting with arbitrary sites. Even with the provided validator, regex-based checks are brittle — a malicious or poorly-constructed task could still cause unwanted actions or data leakage. Do not run this on a machine containing sensitive keys, accounts, or personal data; prefer an isolated VM/container. - Scheduling frequency: The cron job runs every 10s by default (heavy). Consider reducing frequency or only running manually until you’re confident in behavior. - Hardening: Before enabling, review/modify scripts: a) run npm install in the skill directory to satisfy node deps, b) inspect and test validate-task.mjs coverage for your threat model, c) restrict modes with RMB_ALLOWED_MODES (e.g., disallow 'adversarial'), and d) consider configuring RMB_PERSIST_DIR to a secure location with restricted permissions. - Removeability: To stop the skill, run the provided disconnect.sh which attempts to remove the cron job and report in-progress tasks; test this in your environment to ensure it properly cleans up. If you are not willing to audit the code and run it in a strongly isolated environment, do not install or run this skill.
Findings: [ignore-previous-instructions] unexpected: The static pre-scan detected a prompt-injection pattern ('ignore previous instructions') in SKILL.md. The skill includes a validator (validate-task.mjs) that explicitly searches for and rejects common prompt-injection phrases, which explains why such patterns appear in the codebase; however, the existence of the pattern in the skill text still increases the need to inspect validator coverage because simple regex checks can be bypassed.

Review Dimensions

Purpose & Capability: noteName/description match what the code does: it contacts a Rent My Browser API, claims tasks, runs a browser, and reports steps. Declared requirements (curl, jq, node, RMB_API_KEY) map to the scripts. Minor mismatch: Node dependency (viem) is present in package.json/package-lock but there is no install step — the connect script even mentions 'ensure npm install' is run, so the skill expects the host to run npm install manually.
Instruction Scope: concernSKILL.md instructs the agent to register a cron job that polls an external marketplace every 10s and to execute arbitrary consumer task payloads with the node's browser. Tasks may include consumer-provided data (including credentials) and the agent is asked to interact with remote sites, take screenshots, and post results. A local validator script runs simple regex checks, but validation is limited and could be bypassed; the execution scope therefore includes high-risk actions (taking input from external parties, interacting with arbitrary websites, and potentially entering credentials).
Install Mechanism: noteThere is no automated install spec. The skill includes Node code and a package-lock.json (viem and crypto libs) but doesn't provide an install step; scripts warn that 'npm install' must be run. No external archive downloads from untrusted URLs are used; network calls are only to api.rentmybrowser.dev and ipinfo.io. Lack of an automated install step is operationally awkward and should be documented/managed before use.
Credentials: concernThe primary credential (RMB_API_KEY) is appropriate for a marketplace client, but the skill persists sensitive secrets to disk: it generates an on-chain wallet privateKey and writes it (wallet.json) to both state/ and a persistent folder (default ~/.rent-my-browser) with retention across updates. It also saves API keys and node IDs to the persistent directory. These persistent secrets increase risk if the host or backups are compromised. The scripts also honor additional env vars (RMB_PERSIST_DIR, RMB_WALLET_ADDRESS, RMB_ALLOWED_MODES) that are not declared in metadata.
Persistence & Privilege: concernThe skill registers a cron job (openclaw cron add) running every 10s to autonomously poll and trigger isolated sessions. Although 'always: true' is not set, this frequent autonomous scheduling combined with persistent credentials increases blast radius: the skill can be woken frequently to execute remote-submitted tasks. It does not appear to modify other skills, but it writes persistent state in the user's home directory.