Web Automation Helper
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill does not show exfiltration or destructive code, but it asks users to enable Chrome remote debugging for broad browser automation without clear limits around logged-in sessions or high-impact web actions.
Install only if you are comfortable giving automation access to a Chrome instance. Use a dedicated Chrome profile or temporary test account, avoid personal logged-in sessions, supervise any form submission or posting, and close the remote-debugging browser when finished.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used on a logged-in browser, automation could submit forms, scrape pages, or publish content in accounts the user is already signed into.
The skill combines broad web automation, including form filling and content publishing, with enabling Chrome remote debugging. The provided instructions do not define site limits, approval steps, or safeguards for high-impact browser actions.
description: 浏览器自动化助手。通过Chrome远程调试模式,自动化执行网页操作,包括数据抓取、表单填写、内容发布、截图等。 ... chrome.exe --remote-debugging-port=9222
Use only with explicit user approval for each high-impact action, restrict automation to intended sites, and prefer a separate Chrome profile or test account.
The debugger URL and remote-debugging port should be treated as sensitive because they can enable browser control while Chrome is running.
The helper retrieves and prints Chrome's debugger WebSocket URL. That endpoint can act as control authority over the running browser instance, which may include authenticated web sessions.
http.get('http://localhost:9222/json/version' ... resolve(json.webSocketDebuggerUrl); ... console.log('WS URL:', wsUrl);Do not share the printed WebSocket URL, close Chrome or disable the debug port after use, and launch Chrome with an isolated user-data directory when testing automation.