Anemone Browser
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill sets up a persistent remote Chrome browser that deliberately hides automation to get around bot/CAPTCHA protections and can expose logged-in sessions through a VNC link.
Avoid installing this skill unless you are using it in a tightly controlled, authorized test environment. If you proceed, use a disposable VM/container, disposable browser profiles and accounts, private VPN-only VNC access, and stop all browser/VNC services after use.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
1/56 vendors flagged this skill as malicious, and 55/56 flagged it as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could automate websites while hiding that it is automated, which may violate site rules, trigger account/IP blocks, or enable abusive scraping and access patterns.
The skill is purpose-built to help automation evade bot-detection and access sites after CAPTCHA/Cloudflare-style blocking.
Use when: ... browser gets blocked by Google, Cloudflare, or CAPTCHAs ... Anti-Detection ... `--disable-blink-features=AutomationControlled` ... UA override via CDP
Do not use this skill for third-party sites unless you have explicit authorization; remove anti-detection and CAPTCHA-bypass workflows for a safer browser setup skill.
An agent session may act as the logged-in user on websites, and another session could inherit the same cookies or account access.
The skill intentionally reuses authenticated browser state across agent sessions, giving agents access to logged-in accounts without strong per-session credential boundaries.
Multiple sessions share one Chrome (same cookies/logins) but each gets its own window.
Use disposable accounts and separate browser profiles per session; require explicit user approval before any authenticated browsing or account-changing action.
Anyone who obtains the link may be able to view and control the browser, including any logged-in accounts visible in that profile; the password can leak via chat, logs, or browser history.
The remote-control endpoint is exposed through noVNC and the password is embedded directly in the URL that is printed or shared.
websockify --web=/usr/share/novnc --cert=/root/.vnc/combined.pem $NOVNC_PORT localhost:$VNC_PORT ... echo "noVNC: https://<YOUR_IP>:${NOVNC_PORT}/vnc.html?password=${VNC_PASS}&autoconnect=true&resize=scale"Bind noVNC to localhost or a private VPN, avoid putting passwords in URLs, rotate passwords after each use, and stop the service when not actively needed.
A mistaken browser action could affect another agent's tab, authenticated session, or user workflow.
Session isolation depends on the agent always using the correct targetId rather than on hard enforcement, so one mistake can cross into another session.
NEVER operate without targetId — you'll land on another session's tab. NEVER pick another session's tab from `browser action=tabs`.
Use separate Chrome profiles or containers per session and enforce target binding at the tool layer instead of relying only on instructions.
Installing the skill can change system packages and root-owned files, and dependency contents may change over time.
The setup script performs privileged system changes and installs remote/unpinned dependencies; this is related to the browser purpose but should be reviewed before running.
wget -q -O /tmp/chrome.deb https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb ... pip3 install websockets --break-system-packages -q ... cp "$SCRIPT_DIR/start.sh" /root/start.sh
Pin package versions or hashes, declare the install mechanism, and run the setup only in a disposable container or VM.