Chrome Use
Security checks across malware telemetry and agentic risk
Overview
This skill is built to bypass website anti-bot and CAPTCHA defenses while granting broad control over your logged-in Chrome browser.
Avoid installing this in your everyday Chrome profile. If you have a legitimate, authorized need for browser automation, use an isolated Chrome profile with no personal accounts, keep the WebSocket bridge local and authenticated, review every site/action before use, and remove the extension afterward.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could use your browser to bypass website protections, which may violate site rules, trigger account enforcement, or enable automated misuse.
The skill is explicitly designed to evade site anti-bot and CAPTCHA protections, not merely to render JavaScript pages.
"Stealth First": Uses `chrome.debugger` API via extension to evade anti-bot detection (Cloudflare, reCAPTCHA, fingerprinting)
Do not install or use this for CAPTCHA, Cloudflare, or bot-protection bypass unless you have explicit authorization for the target site.
The agent may act inside accounts where you are already logged in, including reading pages, filling forms, clicking buttons, or navigating with your session.
The bridge launches Chrome using the user's normal Chrome profile directory, which can include logged-in sessions, cookies, and account state.
const profileDir = this.getProfileDir(); ... `--user-data-dir=${profileDir}`If browser automation is necessary, use a dedicated empty Chrome profile with no personal logins and no saved credentials.
A connected agent can inspect and manipulate pages across many sites, not just a narrow approved domain.
The extension requests debugger and tab access across all HTTP and HTTPS sites, giving it broad authority over browser content and logged-in web apps.
"permissions": ["activeTab", "tabs", "storage", "nativeMessaging", "debugger"], "host_permissions": ["http://*/*", "https://*/*"]
Avoid installing the extension in your main browser; restrict host permissions if possible and remove unused high-privilege permissions.
The agent could run scripts that read or change page state, submit forms, or interact with account pages in ways the user did not review.
The public API exposes raw JavaScript execution in the current tab, which is powerful when combined with a logged-in browser profile.
export async function evaluate(script) { ... return await bridge.evaluate(script); }Require explicit user approval for any raw JavaScript evaluation and prefer narrowly scoped, reviewed browser actions.
Browser automation traffic can include tab URLs, page HTML, screenshots, and commands; an exposed or spoofed endpoint could interfere with or receive sensitive automation data.
The WebSocket command channel accepts connections without visible authentication, origin checks, or a localhost-only bind in the provided code.
this.wss = new WebSocketServer({ port: this.port }); ... this.wss.on('connection', (ws) => { ... this.clients.set(ws, ...); })Bind the server to 127.0.0.1, add a per-session secret or origin validation, and do not configure the extension to connect to nonlocal hosts.
The browser-control capability may remain available in future Chrome sessions if the extension is not disabled or removed.
The high-privilege Chrome extension remains installed and active beyond the immediate task.
After this, the extension loads automatically every time Chrome starts — no need to reload it each session.
Disable or uninstall the extension after use, and avoid leaving the bridge or browser connected unattended.
A future npm install may resolve a different dependency version than the one the author tested.
The npm dependency is purpose-aligned for a WebSocket bridge, but the version range is not pinned and no lockfile is present in the manifest.
"dependencies": { "ws": "^8.16.0" }Review the dependency tree, use a lockfile, and install only from a trusted package registry.