Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Gbrow

v1.0.0

Full-featured headless browser for OpenClaw agents. Navigate, snapshot with accessibility tree (@ref clicks), tabs, JS execution, cookie import. No vision mo...

⭐ 0· 30·0 current·0 all-time

by@ashish797

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

Purpose & Capability

The name/description (headless browser using Playwright) matches the code. However the registry entry declares no required env vars or config paths while the implementation reads/writes state under .gstack, uses environment variables (BROWSE_STATE_FILE, BROWSE_EXTENSIONS_DIR, CI/CONTAINER, etc.), and includes a cookie-import component and extension-write behavior that are higher privilege than the registry metadata indicates.

Instruction Scope

SKILL.md instructs cloning the GitHub repo and piping setup.sh via curl | bash and to run a persistent local server. The instructions reference reading the local state file (.gstack/browse.json) to obtain a token and port. The docs omit some high-impact behaviors present in code: writing .auth.json into found extension directories, cookie import logic, and large network/console buffers and activity streaming endpoints that may contain sensitive data. Pre-scan found a 'system-prompt-override' pattern in SKILL.md (prompt-injection signal).

Install Mechanism

There is no registry install spec, but SKILL.md/setup.sh instructs executing remote scripts: curl https://raw.githubusercontent.com/…/setup.sh | bash and curl https://bun.sh/install | bash, plus npx playwright install chromium. These downloads are from well-known hosts (GitHub, bun.sh, playwright via npx) but piping remote shells to bash and downloading browser binaries are moderate-to-high risk operations and worth manual review before execution.

Credentials

The skill declares no required credentials or config paths but the code uses multiple env vars (BROWSE_EXTENSIONS_DIR, BROWSE_STATE_FILE, BROWSE_SERVER_SCRIPT, HOME, CI/CONTAINER) and writes state/tokens into ~/.gstack. It also contains cookie-import functionality (likely reads browser cookie DBs) and will write .auth.json into extension directories it finds, which can expose tokens to other components. The undeclared access to user browser cookies and potential writes into other skills' extension directories are disproportionate and sensitive.

Persistence & Privilege

The server launches a persistent local daemon, creates ~/.gstack state and a persistent Chromium profile, and can run detached in background. Importantly, in headed mode it will locate an extension path and may write a .auth.json file there (modifying a discovered extension directory). That behavior modifies other on-disk components and can expose tokens — this matches the rule 'modify OTHER skills' configurations' and is a notable risk. The skill does not set always:true, but it does request persistent local presence through files and background processes.

Scan Findings in Context

[system-prompt-override] unexpected: A prompt-injection pattern was detected in SKILL.md. The skill is a browser server and does not need to modify system prompts; this may be an accidental false positive (common phrase), but warrants manual review of SKILL.md to ensure it doesn't try to override agent/system prompts.

What to consider before installing

What to consider before installing: - Review the install script instead of piping it: the SKILL.md recommends 'curl | bash' for setup. Copy the setup.sh URL and inspect its contents before running, or clone the repository and run scripts manually. - Run in an isolated environment: because the skill installs Bun/Chromium and runs a persistent server that stores tokens and browser profiles under ~/.gstack, prefer a throwaway VM or container so it cannot access your real browser profile or other files. - Inspect cookie-import and extension-write behavior: the code includes cookie-import logic and will attempt to locate extension directories and may write .auth.json there. If you do not want the skill reading local browser cookies or modifying extension directories, do not install it or audit/disable those code paths first. - Check exposed endpoints and logs: the server keeps large console/network buffers and exposes HTTP endpoints for commands and activity streaming. Confirm authentication and that logs do not leak sensitive data before allowing other agents/processes access. - Principle of least privilege: avoid running the install as root and avoid giving the server access to sensitive filepaths. If you must run it locally, consider running it under a restricted user and firewalling the server port to localhost only. - If unsure, ask the maintainer for a reproducible package or an audited release: prefer installing from a pinned, reviewed release (GitHub release archive) instead of a raw branch tip, and request clear docs on cookie import and extension writes. Why 'suspicious' not 'malicious': the code is consistent with a Playwright-based browser skill and many behaviors are explainable, but there are multiple mismatches and higher-privilege file operations (cookie import, writing .auth.json to discovered extension directories, piping remote install scripts) that are significant enough to recommend caution and manual review before trusting the skill.

✗

src/bun-polyfill.cjs:67