ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Claw Relay — Browser Access for AI Agents

v1.0.0

Control a remote browser through Claw Relay using the CLI client. Use when you need to navigate authenticated websites, click buttons, fill forms, take scree...

0· 130·0 current·0 all-time
byacolombiadev@andreagriffiths11
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (control a remote browser via a CLI client) matches the included script and actions (navigate, snapshot, click, evaluate, screenshot). However the registry metadata lists no required environment variables or primary credential while the SKILL.md explicitly requires CLAW_RELAY_URL, CLAW_RELAY_TOKEN, and CLAW_RELAY_AGENT — a clear mismatch. The script also has a different default URL (ws://localhost:9333) than the SKILL.md examples (wss://relay.clawrelay.dev/), and the SKILL.md references the script path 'skills/openclaw/relay-client.cjs' even though relay-client.cjs is provided at the package root. These inconsistencies suggest sloppy packaging or incomplete metadata.
!
Instruction Scope
The runtime instructions tell agents to run the included node script via exec and to supply a token/agent id; that's consistent with the goal. But the skill explicitly supports an 'evaluate' action that runs arbitrary JavaScript in the user's real browser and snapshot actions that expose DOM/accessibility trees — behaviors that can access sensitive data (cookies, page content, forms). The SKILL.md does not limit or audit what evaluate may run, and it instructs storing screenshots to disk (fs usage in code). These are expected for a remote-browser tool but materially increase risk and should be justified, scoped, and documented in metadata.
!
Install Mechanism
This is instruction-only with an included JS client and no formal install spec. The script requires the 'ws' npm module (const WebSocket = require('ws')) but there's no declared dependency or installation step. SKILL.md mentions running 'npm install' in a 'relay-server/' directory which is confusing (the client requires 'ws', not necessarily the server). Missing a clear install step for node dependencies is a packaging omission that could break runtime assumptions or hide needed setup commands.
!
Credentials
The SKILL.md requires CLAW_RELAY_TOKEN, CLAW_RELAY_URL, and CLAW_RELAY_AGENT (sensitive credentials granting control of a user's real browser), but the registry metadata declares none. Requesting a token that can control browser actions (including arbitrary JS execution) is proportionate to the stated capability only if declared, narrowly scoped, and audited — none of which is present in the registry. The absence of declared required env vars is an important coherence/privacy omission.
Persistence & Privilege
The skill does not request persistent installation or 'always: true'. Autonomous model invocation is allowed (platform default), meaning an agent could invoke the skill without an extra gate; combined with the ability to run arbitrary JS on a real browser and the missing metadata, that increases the potential blast radius. The skill itself instructs not to keep persistent connections, but the agent-level invocation policy is not controlled here.
What to consider before installing
Key things to consider before installing or enabling this skill: - Credentials and scope: The SKILL.md requires a CLAW_RELAY_TOKEN/URL/AGENT but the registry metadata lists none — ask the publisher to declare required env vars and describe token scope and expiry. Treat any token as highly sensitive because it grants control over a real user's browser and sessions. - Arbitrary JS: The 'evaluate' action runs arbitrary JavaScript in the user's real browser and can read cookies/page content; only enable this skill for trusted agents and ensure strong allowlisting/auditing on the relay side. - Dependency/install gaps: The client needs the 'ws' Node module but no install spec is provided. Request a clear install step or package.json so dependencies are explicit. - Verify endpoints: Confirm the relay URL is legitimate (don't blindly use the example wss://relay.clawrelay.dev/). The script defaults to ws://localhost:9333 — confirm which endpoint you intend to use. - Audit and least privilege: Use tokens scoped to the minimum actions needed, enable audit logging on the relay, and prefer time-limited tokens. Test in an isolated environment before granting access to real user sessions. - Packaging fixes: Ask the author to correct path references, add required env var declarations to registry metadata, include dependency manifest (package.json), and provide a homepage or source repo so you can verify the server-side implementation. Given the mismatches and the sensitive nature of remote-browser control, treat this skill as suspicious until those questions are resolved.

Like a lobster shell, security has layers — review code before you run it.

latestvk979xydqgpfg7d3g2hf169djz983ts5s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments