ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Qwen Orchestrator

v1.2.2

Qwen Chat (chat.qwen.ai) access via Puppeteer browser automation with CDP interceptor. Persistent daemon (~35ms startup), health checks, graceful shutdown, P...

0· 32·0 current·0 all-time
by@ciklopentan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code and runtime instructions: the files implement Puppeteer automation, a fast persistent daemon, session files, health checks and PM2-based management to interact with chat.qwen.ai without an API key. The declared capabilities line up with required files and scripts.
!
Instruction Scope
Runtime instructions and code access and modify many local files under the skill directory (.profile, .sessions, .daemon-ws-endpoint, .logs, .diagnostics), run PM2 commands, and advise removing lock files and endpoint files. The SKILL.md instructs the agent/user to run system-level steps (pm2 start/save, pm2 startup) and to delete or rm -rf certain files; these are within the purpose but broaden the scope to system-level process management and persistent state outside ephemeral execution.
Install Mechanism
This is instruction-only but includes a setup script that runs npm install and starts a PM2-managed daemon. Dependencies come from the public npm registry (puppeteer and transitive deps). No direct arbitrary URL downloads are used, which is expected for Puppeteer tooling, but npm install will fetch many packages and may download a Chromium binary via puppeteer.
!
Credentials
No environment variables or external credentials are requested, which fits the stated purpose. However, the skill relies on a persistent Chromium user profile stored under the skill (.profile) that will contain cookies/localStorage/session tokens for chat.qwen.ai (and potentially other sites). It also writes a .daemon-ws-endpoint file containing the browser WebSocket endpoint — any process that can read that file can connect to and control the browser (and act with the logged-in session). Those capabilities are functionally necessary for the skill but are sensitive and deserve explicit user caution.
!
Persistence & Privilege
The skill deliberately installs a persistent daemon (qwen-daemon) managed by PM2 and suggests using pm2 startup and pm2 save to make it survive reboots. The daemon writes endpoint/session files that persist on disk. While always:false and autonomous invocation are normal, combining a persistent daemon + exposed browser websocket endpoint + system startup hints increases the blast radius if the host or other local processes are compromised.
What to consider before installing
This skill is coherent with its description: it automates a real browser to use your logged-in Qwen Chat session and runs a PM2-managed daemon for fast responses. Before installing, consider: (1) The daemon stores a Chromium profile under the skill folder (.profile) which contains cookies and session tokens — treat that directory as sensitive. (2) The daemon writes .daemon-ws-endpoint (a WebSocket URL). Any process that can read that file can fully control the browser and act as the logged-in user. (3) setup-daemon.sh runs npm install and configures PM2 startup (system-level changes); avoid running pm2 startup as root without understanding the implications. (4) The code uses child_process execSync, process.kill and rm -rf techniques to clear locks and kill Chrome processes — these are plausible for this tool but are powerful operations that affect other browser processes. Recommendations: review the code yourself, run it in an isolated environment or disposable VM/container, restrict permissions on the skill directory (so other users/processes cannot read .daemon-ws-endpoint or .profile), avoid enabling pm2 startup if you don't want a persistent system service, and delete or protect the .daemon-ws-endpoint file when not in use. If you need stronger assurance, run only the non-daemon mode (which closes the browser after each request) or use an agent that does not expose a persistent browser websocket.
ask-puppeteer.js:103
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk972f1qn4rr609rjtk16hrpf8184fzyk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments