Skillv6.1.2

ClawScan security

AutoClaw Browser Automation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 15, 2026, 7:43 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is broadly coherent with a browser-automation plugin (local MCP server + Chrome extension) but has several insecure/default behaviors (hard-coded token, permanent authorization, default auto-attach) and broad permissions that increase risk and deserve user review before installing.
Guidance: This skill appears to implement what it claims (a local MCP server plus a Chrome extension) but contains several risky defaults you should review before installing: - Privileges: The extension requests and needs powerful Chrome permissions (debugger, scripting, bookmarks, cookies, tabs, <all_urls>). These let the extension read pages, execute JS, change cookies/storage, and control tabs — exactly what automation needs, but also what an attacker would use to exfiltrate data. - Hard-coded token & authorization: The server and extension include a built-in token in source. The server accepts that token (and a related token value). If you install without changing tokens, any local process that knows the token could connect to the MCP server. The extension also permanently treats itself as authorized (isAuthValid returns true), and UI defaults enable 'auto attach all tabs'. Consider changing tokens and turning off auto-attach. - Persistent logs: The MCP server writes logs and task/action history under ~/.autoclaw. These files may contain snapshots of page content, screenshots, or action arguments — review or sandbox them if they contain sensitive content. - Recommended mitigations before use: - Inspect and (preferably) run the server and extension in a disposable environment (VM or isolated profile) first. - Change the built-in token to a strong secret and verify the server only accepts your custom token. - Disable any 'auto attach all tabs' setting; require explicit attach per tab. - Review/limit host permissions if possible; only allow the extension on sites you trust. - Consider audit/logging: check ~/.autoclaw for stored data and set retention/cleanup per your privacy needs. - If you need remote bookmark classification (cloud mode), be aware that enabling cloud mode can send page/bookmark data to an external API; only configure a trusted endpoint and API key. Given these issues, treat the package as usable but high-risk unless you harden defaults and verify the code locally. If you want, provide specific files or lines you'd like me to inspect more deeply (e.g., the complete background.js or server.js) and I can point out exact spots to change.

Review Dimensions

Purpose & Capability: okThe code, manifest, and SKILL.md match the described purpose: a local MCP WebSocket server plus a Chrome extension that uses the Debugger/Bookmarks/Storage/CDP APIs to control the browser, read/write cookies/storage, take screenshots, and manage bookmarks. The included tools (evaluate JS, get cookies, attach tabs, etc.) are consistent with a full-featured browser automation skill.
Instruction Scope: noteRuntime instructions ask the user to start a local Node MCP server and load the unpacked extension from a path under the user's profile (expected for this design). The runtime toolset includes highly sensitive actions (execute arbitrary JS in pages, read/set cookies/storage, read page content). The SKILL.md does not instruct explicit exfiltration, but enabling the extension + server grants capabilities that could access and transmit browsing data if misused.
Install Mechanism: okThere is no automatic download/install spec in the registry entry — installation is instruction-driven (npm start + load unpacked extension). The included Node dependency (ws) comes from an npm mirror in package-lock, which is normal. No remote archive downloads or obscure URLs in the install flow were required by the package metadata.
Credentials: concernThe skill requests no environment variables, which is fine, but the extension and server contain a hard-coded built-in token (present in README, options.js, server and extension code). The extension requests broad host_permissions ("<all_urls>") and powerful extension permissions (debugger, tabs, bookmarks, scripting), appropriate for deep automation but high privilege. Default settings in code/options (autoAttachAll default true; isAuthValid() overridden to always return true) and acceptance of the built-in token by the server increase the risk surface because authorization becomes effectively permanent unless the user explicitly reconfigures it.
Persistence & Privilege: concernAlthough registry flags (always:false) are normal, the plugin itself is designed to persist in the browser with permanent authorization (isAuthValid returns true). Defaults encourage 'auto attach all tabs' and the server stores logs under the user's home (~/.autoclaw/logs). Combined, these make long-lived, machine-local access to browsing data and actions likely after initial setup — this is coherent for an automation tool but elevates privilege and persistence compared to a short-lived helper.