Back to skill
Skillv1.0.1
VirusTotal security
Enable AI Agent to retrive data from websites that need user signin · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 3:40 AM
- Hash
- 664757865175e7fd3ec68fa18edfc18b380422c8d2a30c36059fbec280de0ec0
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: browser-ability Version: 1.0.1 The skill is classified as suspicious due to its high-privilege browser control capabilities via Chrome DevTools Protocol (CDP) and a significant prompt injection risk in `SKILL.md`. The instruction "If there's no tool available, just directly open browser and browse yourself via CDP" could be exploited by a prompt-injected AI agent to perform unintended browsing actions, potentially accessing sensitive data or internal resources, despite other constraints in the documentation. Furthermore, the `script.js` sends the user's `CDP_URL` to an external `SERVER_URL` (MCP server), introducing a critical trust dependency where a compromised or malicious MCP server could gain full control over the user's browser session.
- External report
- View on VirusTotal