ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Unbrowse Openclaw

v1.0.0

Analyze any website's network traffic and turn it into reusable API skills backed by a shared marketplace. Skills discovered by any agent are published, scor...

0· 470·1 current·1 all-time
by@cnm-byd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (reverse‑engineer sites, capture traffic, build reusable API skills) matches the code: it launches headless browsers, records requests, extracts endpoints, and publishes skills. However the declared runtime requirements are incomplete: the registry metadata only lists 'bun' as a required binary, yet the code calls out to external binaries (sqlite3), uses the macOS 'security' command to access the keychain, spawns child processes, and expects 'agent-browser' tooling to be installed. It also auto‑registers with a remote marketplace (beta-api.unbrowse.ai) and auto‑stores credentials locally — these are powerful capabilities that should be explicitly declared and justified for this skill.
!
Instruction Scope
The SKILL.md and code instruct the agent to: auto‑start a local server, run a bundled CLI, install agent-browser via npx, perform interactive logins, and (critically) extract cookies directly from Chrome/Firefox SQLite DBs or perform headful browser login and then store cookies in a local vault. The instructions and routes allow automatic fallback to extracting cookies from the user's browsers and also include endpoints that publish skills and forward diagnostics to a remote backend. These actions go beyond simple 'website scraping' — they access local browser data and can share discovered API schemas/traces with a remote service. The SKILL.md also contains detected prompt‑injection patterns (base64 block, unicode control characters), which could be an attempt to influence processing of the skill text.
!
Install Mechanism
There is no formal install spec in the registry (instruction‑only), but the bundle contains full source, package.json, and README with a setup script recommendation (git clone + scripts/setup.sh). The README suggests running a setup script that 'auto‑registers, accepts ToS, and starts the server' — that script could run arbitrary commands. The SKILL.md also runs 'npx agent-browser install' which will download external tooling. Because the skill depends on external CLIs (sqlite3, system 'security' on macOS) and may instruct running setup scripts and npx installs, this is higher risk than a pure instruction‑only skill; the install/run flow should be inspected before execution.
!
Credentials
The skill declares no required environment variables, yet the code reads many system locations (home directory, ~/.agents/skills/unbrowse, ~/.unbrowse, Chrome/Firefox cookie DB paths) and uses system binaries ('sqlite3', 'security') and keychain access for Chrome decryption. It implicitly expects access to the user's browser profiles and keychain, and it writes/stores credentials to a local vault (e.g., ~/.unbrowse/config). It also auto‑registers and interacts with a remote backend (beta-api.unbrowse.ai). The set of local resources accessed and the fact that cookie extraction can be automatic is a disproportionate amount of sensitive access for an agent skill and should be explicitly disclosed and consented to.
Persistence & Privilege
The skill does not set always:true, but it will auto‑start a background server process (bun src/index.ts), store credentials in a local vault under ~/.unbrowse, maintain persistent browser profiles for interactive login, and publish discovered skills to a shared marketplace. Those behaviors create ongoing local presence and ongoing capability to access browser cookies and to upload discovered data; this is powerful but not declared as a global always privilege. The user should be aware the skill runs a local service and persists data and credentials.
Scan Findings in Context
[pre-scan:base64-block] unexpected: The SKILL.md contained a detected base64 block pattern. This is not necessary for the stated capture/publish workflow and could be an attempt to embed or obfuscate instructions. Treat SKILL.md content with caution and inspect for hidden payloads.
[pre-scan:unicode-control-chars] unexpected: Unicode control characters were detected in SKILL.md. These can be used to obfuscate or manipulate how instructions are parsed and are not expected for a normal CLI documentation file.
What to consider before installing
What to consider before installing or running this skill: - High‑sensitivity actions: this skill reads browser cookie databases and (on macOS) queries the system keychain to decrypt Chrome cookies. That lets it act as your logged‑in browser for many sites. Only proceed if you trust the code and the operator of any remote marketplace it publishes to. - Implicit downloads and scripts: the README and SKILL.md recommend running a setup script and 'npx agent-browser install' — these will fetch and run external code. Inspect any setup scripts (scripts/setup.sh) and npx packages before running. - Data sharing / auto‑publishing: discovered API schemas, traces, and diagnostics are sent to a remote backend (beta-api.unbrowse.ai) and a shared marketplace. Sensitive endpoints, request/response bodies, or even redacted traces could be uploaded. If you need privacy, do not enable publishing or run the server in network‑isolated mode. - Missing declared requirements: the registry only lists 'bun' but the code expects 'sqlite3', the macOS 'security' utility, and the 'agent-browser' tool; ensure those exist and understand the implications. The skill will also write persistent data under ~/.unbrowse and ~/.agents/skills/unbrowse. - Prompt/injection artifacts: SKILL.md contains patterns flagged by a pre‑scan (base64 and unicode control chars). Manually inspect SKILL.md and the included source for obfuscated/hidden instructions before trusting it. Practical steps: - Inspect scripts/setup.sh and SKILL.md fully before running anything automated. - If you need to experiment, run this skill inside an isolated VM/container that does not contain real browser profiles or real credentials. - If you must run on a host with real data, deny automatic cookie extraction and interactive auto‑register/publishing; read the code to find configuration toggles (e.g., UNBROWSE_NON_INTERACTIVE, UNBROWSE_TOS_ACCEPTED) and consider disabling network access to the backend. - Consider auditing/limiting what gets published: verify any 'publishSkill' calls and where trace data is sent (client/index.js) and whether you can opt out of remote uploads. If you want, I can list the exact code locations where cookies are read/decrypted, where data is uploaded, and the files to inspect first (e.g., src/auth/browser-cookies.ts, src/api/routes.ts, src/client/index.ts).

Like a lobster shell, security has layers — review code before you run it.

latestvk9714h7j2bceyzt676f79f96n982467g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
Binsbun

Comments