ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

browserwing

v1.0.0

Control and automate browser actions via HTTP API, including navigation, element interaction, data extraction, accessibility snapshots, screenshots, JS execu...

1· 4.9k·44 current·45 all-time
by@chenhg5
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The SKILL.md describes a browser automation HTTP API and all runtime instructions are about calling that API (navigate, click, extract, snapshot). The declared/used environment variable (BROWSERWING_EXECUTOR_URL) and optional auth headers are consistent with an HTTP executor integration.
Instruction Scope
Instructions stay within the skill's scope: they tell the agent how to discover commands, take snapshots, run operations, and use a base URL. There are no instructions to read unrelated system files, other credentials, or to exfiltrate data to unexpected endpoints beyond the configured executor URL.
Install Mechanism
No install spec or code files — instruction-only skill. Nothing is downloaded or written to disk by the skill itself.
Credentials
The SKILL.md uses/mentions one environment variable (BROWSERWING_EXECUTOR_URL) and optional API headers — proportionate to an HTTP API integration. Note: registry metadata in the package summary reported 'required env vars: none' while the SKILL.md metadata and instructions expect BROWSERWING_EXECUTOR_URL (with a localhost fallback). This is a minor metadata mismatch to be aware of.
Persistence & Privilege
The skill does not request permanent presence (always=false) and contains no install or self-modifying behavior. It can be invoked by the model, which is the platform default.
Assessment
This skill is an instructions-only adapter for a BrowserWing Executor HTTP service — it is internally coherent. Before installing, verify: (1) what BROWSERWING_EXECUTOR_URL will point to (default is localhost:8080; if you set it to a remote server you are trusting that server with any page operations and data the skill sends), (2) whether an API key or bearer token is required and only provide it to a trusted executor, and (3) that the metadata mismatch (registry shows no required env, SKILL.md expects BROWSERWING_EXECUTOR_URL) is acceptable to you. Also be aware: browser automation can interact with pages that contain sensitive info (forms, session cookies), so avoid pointing the executor at untrusted endpoints or giving it credentials you don't want automated actions to access.

Like a lobster shell, security has layers — review code before you run it.

latestvk97742q1z6bmgw1a2rjzc5sv7180fjep

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments