Browser Control
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could act inside accounts the user just unlocked or verified.
The instructions give the agent broad browser-control authority after the user has authenticated, with no clear per-site, per-action, or approval boundary.
When you need the user to: - Log into a website - Complete 2FA / MFA - Solve a captcha - Do any manual browser action ... 8. Continue using browser via CDP (localhost:9222)
Use only for a specific requested task, prefer a disposable browser profile or VM, and require explicit approval before any account-changing action.
Actions performed after login may be treated by websites as actions by the user.
The skill is designed to use the user's identity, login sessions, and MFA completion as delegated authority for later browser automation.
Use when you need the user to log into a website, complete 2FA/MFA, solve a captcha, or do any manual browser action.
Only use this with agents and websites you trust, and avoid sensitive accounts unless the exact task and allowed actions are clear.
Installation changes the local system and depends on third-party package sources.
The installer uses system package managers, pip, and remote downloads. That is expected for this kind of tool, but the install surface is larger than the registry metadata suggests.
sudo apt-get install -y tightvncserver xfce4 xfce4-terminal xterm novnc websockify curl jq ... curl -fsSL https://github.com/novnc/noVNC/archive/refs/tags/v1.4.0.tar.gz | tar -xz -C "$SKILL_DIR" ... pip3 install websockify
Review the installer before running it, install only on a machine where remote browser tooling is acceptable, and prefer pinned or trusted package sources.
A future agent context or anyone with access to those files may see the remote browser link and embedded VNC password.
The generated noVNC URL can include the VNC password and is written into the workspace TOOLS.md file, making a sensitive live access link persistent in agent-readable context.
NOVNC_URL="${TUNNEL_URL}/vnc.html?password=${VNC_PASSWORD}&autoconnect=true"
...
- noVNC URL: $NOVNC_URLDo not store live access URLs in persistent agent notes; redact the password, remove stale URLs when stopped, and rotate the VNC password if exposed.
Users may treat the link as less sensitive than it is.
The documentation shows a password embedded in the URL, but also tells the agent not to mention passwords and claims there is no password to leak, which understates the sensitivity of the link.
"novncUrl": "https://xxx.ngrok.app/vnc.html?password=xxx&autoconnect=true" ... Note: Do NOT mention passwords. The link includes auto-login. ... - No password to leak - authentication is via Google
Clearly warn users that the link is sensitive, contains an auto-login secret for VNC, and should not be shared.
Remote browser access can remain available after the immediate task unless the user or agent stops it.
Starting the skill creates a background public tunnel to the browser interface, and the artifacts do not show an automatic timeout or required cleanup.
ngrok http 6080 \
--oauth=google \
--oauth-allow-email="$ALLOWED_EMAIL" \
--log=stdout \
> $SKILL_DIR/ngrok.log 2>&1 &
...
echo "🔄 Tunnel running in background (PID: $NGROK_PID)"Stop the tunnel immediately after use, add an automatic timeout, and verify that no ngrok, noVNC, or VNC processes remain running.