Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Browser Network Inspector
v1.0.1Browser-side request inspection and reporting for user-authorized web debugging. Use when you want one skill to observe page fetch/XHR/WebSocket activity, in...
⭐ 0· 48·0 current·0 all-time
by@dougzl
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the actual behavior: scripts inject a browser collector that instruments fetch/XHR/WebSocket, redact common sensitive fields, export JSON, and summarize into Markdown. The only external runtime required is a local 'agent-browser' CLI, which is referenced consistently in SKILL.md and scripts.
Instruction Scope
Runtime instructions require injecting the provided collector into the target page via agent-browser eval and then exporting logs. This matches the stated purpose, but the collector uses eval chunking to load itself into pages and the Node helpers execute local binaries (agent-browser) and write files under the user's workspace. Redaction is implemented but may not catch every sensitive pattern, so use only on pages you are authorized to inspect.
Install Mechanism
No install spec — instruction-only with bundled JS helpers. Nothing is downloaded from the network and no archive extraction occurs. The scripts expect an existing agent-browser binary but do not attempt to fetch or install it.
Credentials
The skill requires no environment variables or credentials. It reads typical local paths (HOME/USERPROFILE/APPDATA) to locate agent-browser and writes report files into the user's .openclaw workspace — behavior consistent with the stated purpose.
Persistence & Privilege
always:false and user-invocable. The skill only writes reports and temporary files under the workspace and does not modify other skills or system-wide settings. It does execute a local binary (agent-browser) as part of normal operation.
Assessment
This skill appears coherent for browser-level debugging. Before installing: (1) Ensure the 'agent-browser' binary you have is from a trusted source — the scripts will run it and use it to eval JS into pages. (2) Only use the skill on sites you are authorized to inspect — the collector injects code (including eval) into pages and can capture request/response data. (3) Review the collector for any additional header/body fields you consider sensitive — the redaction list is conservative but not guaranteed to catch every secret pattern. (4) Avoid running this against pages containing third-party credentials, payment flows, or other high-risk secrets unless you accept the risk of accidental capture. If you need higher assurance, run captures in an isolated browser/profile or with a controlled test account.scripts/capture-and-report.js:56
Shell command execution detected (child_process).
scripts/capture-session.js:50
Shell command execution detected (child_process).
scripts/clear-session.js:21
Shell command execution detected (child_process).
scripts/capture-session.js:79
Dynamic code execution detected.
scripts/summarize-network.js:14
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97atsbqcptxczxyrrkj4cfqe583xn61
License
MIT-0
Free to use, modify, and redistribute. No attribution required.