Jarvis Browser Setup

This skill is not obviously malicious, but it has inconsistencies and risky assumptions you should understand before running it. Things to check/do before installing or executing: - Do not assume the WebSocket server will be started automatically: SKILL.md claims auto-start, but scripts only prepare files and print instructions—you must manually inspect and start the server. Look for and review the actual server file (e.g., server/jarvis_server_v3.5_fixed.py) before running it. - Verify token handling: the script generates a token but does not explicitly inject it into the extension in a robust way. After running, inspect extension/config.js and server config to ensure the token is present only where intended and not accidentally exposed. - Confirm the template path: the script copies files from /home/openclaw/.openclaw/workspace/jarvis-browser-v3.3-hybrid. If that path exists on your system it will be read/copied — ensure those files are safe and don’t contain secrets. If the path does not exist the script will print a warning and do less than the README promises. - Run in an isolated/sandbox environment first (VM or container) and review all generated files (config.json, server/*, extension/*) before exposing any machine or network port publicly. - Be cautious with the generated token: treat it as a secret. Do not share the output folder publicly. If you decide to use this, rotate tokens and restrict network access to the server (firewall, bind to localhost or trusted interface). If you need higher assurance, ask the publisher for the server code (jarvis_server_v3.5_fixed.py) and the extension source so you can audit how authentication is validated and whether any telemetry or external endpoints exist. If you cannot verify those, mark this skill as untrusted and avoid running it on production machines.