Anemone Browser
MaliciousAudited by ClawScan on May 10, 2026.
Overview
This skill is explicitly designed to run a persistent remote-controlled Chrome that evades website bot protections and CAPTCHA/Cloudflare blocking, while also exposing sensitive browser sessions through VNC.
Avoid installing this on your main machine or using it with important accounts. If you must test it, use a disposable container or VPS, firewall the noVNC port, avoid logging into sensitive services, rotate passwords, and remove the cron job/profile when finished.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may use the browser to bypass website anti-abuse protections, which can violate site rules and expose the user to account or legal risk.
The skill is not just enabling browser automation; it explicitly configures the browser to avoid bot-detection signals and continue through CAPTCHA or Cloudflare-style blockers.
Use when: ... browser gets blocked by Google, Cloudflare, or CAPTCHAs ... Anti-Detection ... --disable-blink-features=AutomationControlled ... UA override via CDP
Do not install this for general browsing automation; only consider it in an isolated environment and for sites where you have explicit permission to automate.
A crafted argument, or an agent mistake when invoking the CLI, could cause unintended local shell commands to run.
CLI-provided values such as password, ports, and resolution are interpolated into a shell command without evident validation or safe argument passing.
execSync(`bash ${join(SCRIPTS_DIR, 'start.sh')} "${password}" ${novncPort} ${cdpPort} ${resolution}`Replace shell-string execSync calls with spawn/execFile argument arrays and validate ports, display numbers, and resolution before use.
Anyone who obtains the link may be able to control the browser and access any logged-in websites in that Chrome profile.
The remote-control password is embedded directly in a URL intended to be shared, which can leak through chat history, browser history, logs, screenshots, or referrers.
echo " noVNC: https://<YOUR_IP>:${NOVNC_PORT}/vnc.html?password=${VNC_PASS}&autoconnect=true&resize=scale"Avoid putting passwords in URLs; use short-lived credentials, restrict access by network allowlist/VPN, and rotate the VNC password after each takeover.
If the agent, VNC link, local machine, or browser profile is compromised, logged-in accounts in the persistent Chrome profile may be exposed or misused.
The browser profile intentionally preserves authenticated sessions across restarts and is controlled by both the agent and human VNC takeover flow.
Persistent — Cookies and login sessions survive restarts
Do not log into sensitive accounts in this browser profile; use a dedicated low-privilege account and clear the profile when finished.
The browser/VNC stack may keep running and recovering in the background even after the original task is done, increasing exposure time.
Starting the environment installs a cron job that repeatedly restarts browser and VNC components, keeping the remote-control environment alive.
CRON_CMD="*/2 * * * * bash $HC_DST $DISPLAY_NUM $VNC_PORT $NOVNC_PORT $CDP_PORT >> /tmp/anemone-healthcheck.log 2>&1"
Run `anemone stop`, verify the crontab is clean, and use this only in disposable containers or hosts with strict firewall rules.
On a non-dedicated Linux machine, stopping Anemone could terminate unrelated Chrome sessions and lose user work.
The stop command kills any process matching chrome, not only the Anemone-managed Chrome process.
run('pkill -9 -f "chrome" 2>/dev/null || true', { ignoreError: true });Scope process cleanup to recorded Anemone PIDs or the specific managed profile/remote-debugging command line.