Back to skill
Skillv0.2.2
VirusTotal security
Clawnet · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:42 AM
- Hash
- 13aef74e3fe5fc3cefd2eb1c3305436ebf3bf02b59d7db4a9924db84b45043b8
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: pets-browser Version: 0.2.2 The skill is classified as suspicious due to two main vulnerabilities: 1) The `ActionLogger` in `scripts/browser.js` logs all browser actions, including potentially sensitive user input (like passwords from `page.fill` or `page.type` calls) to local files (`~/.clawnet/logs/<session-id>.jsonl`) without sufficient sanitization, posing a privacy risk. 2) The `browser-daemon.js` exposes an `/eval` HTTP endpoint, allowing the agent to execute arbitrary JavaScript code via `page.evaluate(expression)`. While intended for legitimate use, this powerful capability could be exploited via prompt injection against the AI agent, leading to Remote Code Execution within the browser context. There is no clear evidence of intentional malicious behavior by the skill itself, such as exfiltrating data to unauthorized endpoints or establishing backdoors.
- External report
- View on VirusTotal