Skillv1.0.0

ClawScan security

Gemini Browser · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 16, 2026, 1:57 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and instructions are coherent with its stated purpose (automating Gemini via an attached Chrome tab), but it exercises powerful browser capabilities and has a few minor platform/documentation mismatches you should note before installing.
Guidance: This skill appears to do what it says: it automates Gemini by attaching to a real Chrome tab via OpenClaw Browser Relay. Important cautions before you install/use it: - Only attach the extension to a tab you explicitly want the agent to control — the agent can read and interact with anything visible in that tab (including your account context and page data). - Use a dedicated Chrome profile (or a secondary Google account) for automation to limit exposure, as the author recommends. - The evaluate action runs arbitrary JavaScript in-page. That capability is required for Quill-based input, but it also means a malicious or misused agent could extract other page content. Rely on the manual-click attachment safeguard. - The SKILL.md contains macOS-specific commands (open -a, pbpaste). If you’re on Windows/Linux, these commands will fail; the skill metadata does not declare an OS restriction or required binaries. Ensure you adapt the clipboard/read commands or only use on macOS. - Verify you trust the OpenClaw Browser Relay extension and the environment (the extension’s auth token and loopback binding are the gatekeepers for local access). If you accept these risks and follow the mitigations (manual attach, separate profile/account), the skill is internally coherent. If you need higher assurance, ask the author for explicit OS compatibility notes and for the minimal set of commands/tools required (e.g., pbpaste alternative for other OSes).

Review Dimensions

Purpose & Capability: okThe skill's name/description match the actions in SKILL.md: it uses OpenClaw Browser Relay to control a real Chrome tab and interact with gemini.google.com. Required pieces (Browser Relay, OpenClaw, a logged-in Chrome profile) are appropriate. Minor inconsistency: the instructions use macOS-specific commands (open -a, pbpaste) and assume a local pbpaste tool, but the skill metadata does not declare an OS restriction or required binaries.
Instruction Scope: noteThe SKILL.md stays within the stated purpose (open Gemini, inject text into the Quill editor, submit, and extract response). However, it requires executing arbitrary JavaScript in the page context via the evaluate action — a necessary capability for this automation but high-privilege: anything visible in the attached tab can be read or manipulated. The doc repeatedly warns about this and requires a manual extension click to attach, which is a mitigating control.
Install Mechanism: okInstruction-only skill with no install spec or external downloads. This is low risk from an installation standpoint.
Credentials: okThe skill does not request environment variables, credentials, or config paths. That is proportionate for a browser-automation skill that operates through the user's existing browser session. Note: it does rely on local clipboard access (pbpaste) and OpenClaw being installed, which are not declared as required binaries.
Persistence & Privilege: okalways is false and the skill is user-invocable; it does not request persistent or privileged presence. Autonomous invocation (disable-model-invocation=false) is the platform default and not a standalone concern here. The skill does not attempt to modify other skills or system-wide settings.