ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SurfAgent

v1.0.0

Control a real Chrome browser via SurfAgent — navigate, click, type, screenshot, extract data, crawl sites, and automate web workflows. Uses your persistent...

0· 60·1 current·1 all-time
by@agentossoftware
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes exactly the capabilities you'd expect from a local browser-control tool (navigate, click, evaluate JS, read cookies, screenshots). However the registry metadata earlier said 'required env vars: none' while the SKILL.md declares a required_environment_variable SURFAGENT_DAEMON_URL — this mismatch is unexplained and worth clarifying.
!
Instruction Scope
Instructions explicitly allow running arbitrary JavaScript in pages, reading and setting cookies, extracting full HTML/text, and using a persistent Chrome profile with real cookies/sessions. Those are appropriate for browser automation, but they also enable access to very sensitive personal data; the SKILL.md does not add guardrails or limit these actions. It also instructs use of 'npx surfagent-mcp' which will fetch code at runtime.
Install Mechanism
This is instruction-only (no install spec). The skill tells users to download SurfAgent from surfagent.app and to run npx surfagent-mcp (which pulls code from the npm registry). Those are normal for a connector, but they do cause external packages/binaries to be fetched and executed outside the skill bundle; the sources referenced (surfagent.app and GitHub repos) appear plausible and not obfuscated.
!
Credentials
The SKILL.md requires SURFAGENT_DAEMON_URL (default http://localhost:7201). A configurable daemon URL is powerful: if set to a remote endpoint, the agent could send page contents, cookies, and other sensitive data off the machine. The registry metadata not listing this env var is an inconsistency. No other credentials are requested, but the ability to read/set cookies and evaluate JS gives access to credentials and private data stored in the browser.
Persistence & Privilege
The skill does not request always:true and does not claim elevated system-wide persistence. Autonomous model invocation is allowed (platform default). Combined with the ability to access persistent browser sessions, autonomous invocation raises blast radius — consider that an agent could perform actions using your logged-in accounts if invoked without user oversight.
Scan Findings in Context
[no-findings] expected: The static regex scanner found no code to analyze because this is instruction-only (only SKILL.md and README.md). That absence of findings is expected but not evidence of safety — the runtime behavior depends on an external daemon and npx-installed MCP tooling.
What to consider before installing
Before installing, be aware this skill gives an agent the ability to control your real Chrome profile (read/set cookies, run JS, extract page contents). That is necessary for the described features but can expose sensitive data. Things to do before use: (1) Verify you install the SurfAgent daemon only from the official surfagent.app and review its GitHub repos; (2) do not set SURFAGENT_DAEMON_URL to a remote server you don't control — keep it at localhost unless you explicitly trust the endpoint; (3) review the surfagent-mcp npm package before running npx (it will be downloaded/executed); (4) run the daemon and the skill in an isolated account, container, or VM if you want to limit exposure of your primary browser profile; (5) require explicit, interactive user confirmation before letting an agent perform actions that access cookies, evaluate JS, or extract entire pages; and (6) ask the skill author to correct the registry metadata inconsistency (the SKILL.md declares SURFAGENT_DAEMON_URL but the registry metadata lists none). If you cannot confirm these points, treat the skill as high-risk and avoid installing it on machines with sensitive browser sessions.

Like a lobster shell, security has layers — review code before you run it.

automationvk9714fnqkvfc1ybf9ch8kq3sw1840kj1browservk9714fnqkvfc1ybf9ch8kq3sw1840kj1chromevk9714fnqkvfc1ybf9ch8kq3sw1840kj1latestvk9714fnqkvfc1ybf9ch8kq3sw1840kj1mcpvk9714fnqkvfc1ybf9ch8kq3sw1840kj1webvk9714fnqkvfc1ybf9ch8kq3sw1840kj1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments