Passo - Remote Browser Access
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s purpose is clear, but it asks you to run an unverified remote installer that sets up a browser/VNC tunnel for sensitive logins and 2FA.
Install only if you trust Passo and have reviewed the remote installer. Prefer using a dedicated server, VM, or container; confirm the protected email; avoid entering highly sensitive credentials unless you understand the provider’s security model; and stop the tunnel and clear the browser session after use.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running this could execute unreviewed code on the server and install components that control a remote browser tunnel.
The skill instructs the user to execute a remote installer directly from a mutable GitHub branch, while the installer code, checksum, and pinned version are not included in the reviewed artifacts.
curl -fsSL https://raw.githubusercontent.com/felipegoulu/passo-client/main/install.sh | bash
Review the installer before running it, prefer a pinned release or checksum-verified package, and install only in an isolated VM/container or other low-risk environment.
Credentials, 2FA flows, cookies, or account sessions used in the remote browser may be exposed if the tunnel, provider account, or authorized email is misconfigured or compromised.
The skill routes sensitive browser interactions through a remote access URL/service, but the artifacts do not explain session isolation, recording/retention, provider visibility, or other data-boundary controls.
Give your user remote access to a browser on your server. Perfect for logins, 2FA, captchas
Use only with accounts you are comfortable accessing through this service, verify the provider’s security model, stop the tunnel after use, and clear browser sessions or use an isolated profile.
The configured Google identity determines who can access the browser session; choosing the wrong email or using a compromised account could expose the session.
Access control depends on a Google sign-in and the configured email address, which is purpose-aligned but important identity authority for a remote browser.
User signs in with Google (only their email can access)
Confirm the protected email is correct, avoid shared Google accounts, and revoke or disable access when it is no longer needed.
If the tunnel is left running longer than intended, the remote browser remains available to the authorized account.
The tunnel can run as an ongoing service, but the start and stop controls are documented.
passo start # Start the browser tunnel passo stop # Stop everything
Start the tunnel only when needed, run `passo stop` after each session, and check `passo status` to confirm it is not still running.