Skillv1.0.0

ClawScan security

chrome-cdp · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 15, 2026, 4:15 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's purpose (accessing open Chrome tabs) is plausible, but the packaged code is incomplete (it execs a scripts/cdp.mjs that isn't included and SKILL.md instructs you to git-clone an external repo) and the code uses unescaped shell execution (execSync with joined args), creating a real command-injection and supply-chain risk.
Guidance: Do not install blindly. Before using: (1) Note that the packaged index.js expects scripts/cdp.mjs which are not included — SKILL.md tells you to git-clone a GitHub repo; audit that repository and the scripts/cdp.mjs file before pulling or running anything. (2) The code constructs a shell command by joining arguments and calls execSync — this is vulnerable to command injection if untrusted input reaches the functions. Ask the author to switch to spawn/execFile with argument arrays or properly escape inputs. (3) Because the skill can read your open, logged-in web pages, only run it on a trusted machine and consider using an isolated environment/profile. (4) If you need this functionality but want lower risk, prefer an implementation that bundles its runtime scripts, documents checksums, and avoids shell-string execution. If you proceed, review scripts/cdp.mjs, pin/verify commits, and restrict automatic/autonomous invocation until you are confident about the code.

Review Dimensions

Purpose & Capability: concernName/description match the code's intent (control Chrome via CDP). However index.js expects a helper script at scripts/cdp.mjs that is not present in the package; SKILL.md instructs users to git clone https://github.com/pasky/chrome-cdp-skill to obtain missing files. Requiring an external repo at runtime (not bundled) is an inconsistency and forces fetching and running unvetted code to make the skill functional.
Instruction Scope: concernSKILL.md's runtime instructions are focused on enabling remote debugging and running the included scripts, which is within scope. But index.js runs child processes via execSync by building a single shell string (cmd.join(' ')) from user-supplied arguments (targetId, selectors, expressions). This is a command-injection risk: specially crafted inputs could execute arbitrary shell commands. The skill also promises access to logged-in pages (sensitive data) — expected for purpose but high-risk in practice.
Install Mechanism: noteThere is no formal install spec in the package; SKILL.md directs users to git-clone a GitHub repo to obtain required scripts. Fetching additional code from GitHub is common but still a supply-chain step that should be audited. The packaged index.js alone is insufficient to function, so the user must pull external code before use.
Credentials: noteThe skill does not request environment variables or credentials, which is proportionate. However, its legitimate functionality requires access to the user's running Chrome and will read the contents of logged-in pages (Gmail, GitHub, etc.), which is inherently sensitive — users should consider whether exposing those pages to an agent is acceptable.
Persistence & Privilege: okThe skill is not marked always:true and does not request system-wide config changes or persistent privileges. It does execute commands locally but does not itself claim to persist or modify other skills.