Drission Sota Toolkit
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a high-risk browser automation toolkit that can control local Chrome/CDP sessions and bypass bot protections, while its metadata and safety controls are inconsistent.
Do not install this as a general-purpose scraper. Only consider it if you intentionally need advanced CDP/browser automation, can inspect the code, and will run it in an isolated VM or container with a disposable browser profile. Avoid logged-in sessions, disable autonomous invocation for high-risk scripts, and require the publisher to fix the misleading metadata and gating issues first.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent could approve the skill believing it is a minimal scraper while receiving a package with much broader browser-control capabilities.
The shipped package includes high-risk files such as CDP takeover, driver injection, and relay scripts, while this manifest claims no high-risk capabilities and uses a different version from the registry/SKILL text.
"description": "Minimal Web Scraper (Lab v7.0). Only basic search and aggregation scripts. No high-risk capabilities included."
Require the publisher to align metadata with the actual shipped files, declare all high-risk capabilities, and remove stale or misleading manifest entries before installation.
If used with a real browser profile, the skill could manipulate pages or accounts the user is logged into.
Raw CDP control over the current page can operate inside an active browser session, including pages where the user may already be authenticated.
* **Risk**: High. Can execute any JavaScript on the current page via `Runtime.evaluate`.
Use only a dedicated, non-logged-in browser profile in an isolated environment, and require explicit per-action approval for any CDP or JavaScript execution.
An autonomous agent or script that can set environment variables could enable a powerful browser-control path without the user meaning to authorize that specific action.
A high-impact direct browser-driver injection path is gated by an environment variable rather than a robust human approval flow, despite the skill documentation emphasizing physical gating.
SAFETY: Requires environment variable SOTA_NUCLEAR_CONFIRMED=true ... driver = BrowserDriver(_id='sota_hardened_probe', address=ws_url, owner=None)
Replace environment-variable approval with an explicit interactive confirmation and whitelist exactly which high-risk scripts may run.
The skill could be used for web activity that violates site rules or creates account/network risk for the user.
The code explicitly uses browser/TLS impersonation for no-CAPTCHA access, which is a bot-protection bypass capability not tightly scoped to approved targets.
# Using SOTA impersonate to ensure high-speed, no-captcha access ... requests.get(url, impersonate="chrome124", timeout=15)
Limit automation to sites where the user has permission, remove bypass-oriented defaults, and document ethical/legal boundaries clearly.
A mistaken or manipulated invocation could run unintended local Python code under the user's account.
The wrapper builds a subprocess path from a caller-supplied script name without a visible whitelist or path-containment check.
def run_protected_script(script_name): ... script_path = os.path.join(base_dir, script_name) ... subprocess.run([sys.executable, script_path], env=clean_env, check=True)
Whitelist allowed bundled scripts, normalize and validate paths, and reject absolute paths or traversal components before launching subprocesses.
The skill can temporarily keep a local relay process running during a task, which may expose local browser-debugging traffic to same-host processes.
The relay creates a local listener, but it is bound to loopback and includes idle and maximum-lifespan shutdown logic.
IDLE_TIMEOUT = 300 ... MAX_LIFESPAN = 3600 ... server.bind(('127.0.0.1', local_port))Run the relay only when needed, verify it exits after use, and avoid using it on shared or untrusted machines.
Users may over-trust the skill's safety posture based on an unsupported audit/verification statement.
The package makes an external-sounding verification claim without supporting provenance in the supplied artifacts, alongside high-risk browser-control code.
**Audit Status**: Verified by SpatialGPT SOTA Engine (2026)
Treat the claim as unverified unless the publisher provides independent audit evidence, and base installation decisions on the actual source behavior.