Web Access Skill
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: web-access-skill Version: 1.0.0 The skill implements a CDP (Chrome DevTools Protocol) proxy (`cdp-proxy.mjs`) that grants the AI agent full control over the user's active Chrome browser, including access to authenticated sessions and cookies. Key high-risk features include the ability to execute arbitrary JavaScript in any tab (`/eval`), capture screenshots, and programmatically upload local files to websites (`/setFiles`) by bypassing standard file-picker dialogs. While the `SKILL.md` instructions frame these capabilities as tools for advanced web research and automation, the lack of sandboxing and the broad access to the user's live browser environment and local filesystem represent a significant security risk that could be exploited for data exfiltration.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may be able to view private logged-in pages and perform actions as the user on websites.
The skill intentionally uses the user’s normal Chrome profile and logged-in sessions for web tasks, giving the agent account-level access across whatever sites the user is already logged into.
通过 CDP Proxy 直连用户日常 Chrome,天然携带登录态,无需启动独立浏览器。
Use a separate browser profile or dedicated account where possible, and require explicit user confirmation before any logged-in, posting, purchasing, deleting, or account-changing action.
A mistaken or overbroad agent step could submit forms, change website state, or interact with private account data.
The local proxy exposes arbitrary page JavaScript with the ability to read and change page state, submit forms, and call internal methods, which is broader than ordinary browsing.
执行任意 JS:可读写 DOM、提取数据、操控元素、触发状态变更、提交表单、调用内部方法
Constrain use to user-requested targets, inspect planned actions before mutations, and avoid arbitrary /eval operations for sensitive sites unless the user approves the exact action.
The agent could upload local files to a website if given or infers a path, including files the user did not intend to share.
The API can attach local files to web upload controls without the normal file picker, which is powerful and needs tight user-selected file scoping.
给 file input 设置本地文件路径(`DOM.setFileInputFiles`),完全绕过文件对话框。
Only allow file uploads after the user names the exact files and destination, and avoid giving the agent broad filesystem paths.
A browser-control service may remain running longer than the immediate task, increasing the window in which browser sessions can be controlled locally.
The dependency check starts the CDP proxy as a detached background process, allowing it to continue after the initiating command exits.
const child = spawn(process.execPath, [PROXY_SCRIPT], { detached: true, stdio: ['ignore', logFd, logFd] });
child.unref();Provide a clear stop command and consider stopping the proxy after sensitive tasks; users should know how to terminate it when not needed.
Parallel agents could act in the same logged-in browser session and expose or mix data across subtasks.
The skill encourages multiple sub-agents to share one authenticated browser and proxy, but the artifacts do not define identity, authorization, or data-boundary controls between those agents.
每个子 Agent 在当前用户浏览器实例中,自行创建所需的后台 tab...所有子 Agent 共享一个 Chrome、一个 Proxy
Avoid parallel sub-agents for logged-in or sensitive sites unless each task is read-only and clearly scoped; require review before account-changing actions.
Saved site instructions may affect later browsing tasks.
The skill describes cross-session reuse of site-specific experience, which is purpose-aligned but can influence future browsing behavior if the stored guidance is stale or poisoned.
站点经验积累 | 按域名存储操作经验(URL 模式、平台特征、已知陷阱),跨 session 复用
Review or clear stored site-pattern notes if behavior seems wrong, especially before sensitive logged-in operations.