Skillv1.1.0

ClawScan security

Anemone Browser · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 15, 2026, 1:35 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code, install steps, and runtime instructions are coherent with its stated purpose (managed headful Chrome with VNC takeover and auto-recovery), but it makes persistent, privileged system changes and exposes a VNC URL containing the password — review and run in an isolated environment if you proceed.
Guidance: This package appears to do what it says — manage a headful Chrome + VNC environment — but it makes root-level changes and persists a cron job, cookies/profile files, and certs under /root and /etc. Before installing: 1) Only run it on a dedicated machine/container or VM you control (do not install on a shared production host). 2) Expect apt installs and writes to /root and /etc; review scripts (they are included) and confirm you trust the author. 3) Note that noVNC links include the VNC password in the URL and the CLI may attempt to discover the host's public IP via ifconfig.me — treat links as sensitive and use network controls/firewalling. 4) Avoid using the --dangerously-no-password mode. 5) If you need less privilege, consider running the stack inside an isolated container and exposing only necessary ports. 6) After install, inspect crontab, /root/.vnc, /root/.chrome-profile, and /etc/opt/chrome/policies/managed to confirm expected files and remove the cron if you do not want automatic healthchecks.

Review Dimensions

Purpose & Capability: okName/description match the actual behavior: a Node CLI that installs/starts a headful Chrome + Xvfb + x11vnc + noVNC stack, provides CDP for agents, and offers VNC takeover for humans. The requested npm package, binaries, and scripts are consistent with this purpose. The package expects to run on Linux/macOS and installs system packages on Linux, which is expected for this scope.
Instruction Scope: noteSKILL.md directs the agent to start the managed browser, present a noVNC link to the user for human takeover, and use CDP on localhost; these are within scope. Points to note: the guidance explicitly has the agent (or CLI) produce and transmit a noVNC URL that contains the VNC password as a query parameter, and the CLI attempts to discover the host public IP via an external service (ifconfig.me). Both are functional for the purpose but leak credentials in URLs and involve external network calls.
Install Mechanism: noteInstallation is via npm (anemone-browser) which provides the CLI binary. Linux setup script installs system packages via apt-get and downloads the official Google Chrome .deb from dl.google.com (an expected source). The installer copies scripts to /root and writes system files (e.g., /etc/opt/chrome/policies/managed/security.json). These actions require elevated privileges and modify system-wide locations; this is consistent with a system-level browser manager but worth attention before running on a host.
Credentials: noteThe skill requests no environment variables or external credentials — appropriate. However, it generates/stores VNC passwords and SSL certs under /root, writes state to /tmp/anemone-state.json (including the VNC password), and prints noVNC URLs with password query params. Those behaviors are proportional to the feature set but carry confidentiality risks (password-in-URL, files under /root and /tmp).
Persistence & Privilege: concernThe package installs a recurring healthcheck cron job (every 2 minutes) under the system/root crontab, creates persistent profile and cert files under /root and /etc, and writes Chrome policies system-wide. This gives the skill a persistent presence on the host and requires root privileges. While aligned with the auto-recovery design, it is a meaningful privilege and persistence vector that the user should explicitly authorize.