Drission Sota Toolkit
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill includes high-risk browser takeover, local relay, and anti-bot automation features while its metadata and safety claims contradict the bundled code.
Only use this in a disposable VM/container with a separate Chrome profile and no logged-in personal accounts. Treat the takeover and relay scripts as high-risk, start them only manually, and verify the metadata, dependency pins, and gating behavior before installation.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent could trust the benign metadata and invoke capabilities that are much more powerful than advertised.
The manifest tells users/agents this is minimal and has no high-risk capabilities while autonomous model invocation is enabled; other supplied artifacts include high-risk takeover, relay, and nuclear driver scripts.
"description": "Minimal Web Scraper (Lab v7.0). Only basic search and aggregation scripts. No high-risk capabilities included." ... "disable-model-invocation": false
Align metadata with the actual bundled scripts, disclose all high-risk browser-control features, and disable autonomous model invocation unless each action is explicitly user-approved.
The documented safety model does not match the code, making it harder to know which high-risk actions are actually gated.
This contradicts SKILL.md's claim that environment variables are not used for authentication and that high-risk scripts require a fresh lockfile.
SAFETY: Requires environment variable SOTA_NUCLEAR_CONFIRMED=true ... if os.environ.get('SOTA_NUCLEAR_CONFIRMED') != 'true':Use one documented authorization mechanism for all high-risk scripts, remove contradictory claims, and fail closed unless a clear user approval is present.
If pointed at a logged-in or sensitive browser session, the skill could act inside web pages and potentially change account data or content.
The toolkit explicitly includes raw Chrome DevTools Protocol control that can execute JavaScript in the active browser page, which is far beyond ordinary search aggregation.
"Risk": High. Can execute any JavaScript on the current page via `Runtime.evaluate`.
Run only in an isolated disposable browser/profile, require explicit user confirmation before CDP actions, and restrict commands to known-safe operations.
While the relay is active, local processes may reach the browser debugging interface through the forwarded port.
The relay forwards local port 9223 to Chrome's debugging port 9222 for up to an hour, and this script does not call the advertised lockfile or UDS authorization checks.
MAX_LIFESPAN = 3600 ... server.bind(('127.0.0.1', local_port)) ... SecureRelay().start(9223, 9222)Gate relay startup, shorten lifetimes, require per-connection authorization where possible, and warn users before exposing browser debugging endpoints.
If invoked with an unexpected relative path, the wrapper could run unintended local Python code after the gate is satisfied.
The wrapper executes a caller-supplied script name without a visible whitelist or canonical path containment check.
script_path = os.path.join(base_dir, script_name) ... subprocess.run([sys.executable, script_path], env=clean_env, check=True)
Whitelist allowed script filenames, resolve and verify the final path stays under the scripts directory, and reject path traversal or arbitrary arguments.
The skill could be used for scraping or anti-bot circumvention that violates site rules or exposes the user to account or network risk.
The code explicitly frames browser/TLS impersonation as a way to avoid CAPTCHA friction, without limiting use to authorized targets.
# Using SOTA impersonate to ensure high-speed, no-captcha access ... requests.get(url, impersonate="chrome124", timeout=15)
Limit use to sites where the user has authorization, remove bypass-oriented defaults, and add clear legal/ethical usage constraints.
A later dependency version could introduce different behavior or vulnerabilities.
Dependencies are declared, but lower-bound ranges allow future package versions to change behavior compared with the reviewed artifacts.
curl_cffi>=0.14.0 ... DrissionPage>=4.1.1.2 ... requests>=2.31.0
Pin exact dependency versions and publish a lockfile or reproducible environment for review.