Skillv0.1.1

ClawScan security

mcp-chrome · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 23, 2026, 11:51 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions are coherent with its stated purpose (controlling your existing Chrome session) but it asks you to install a third‑party native bridge and extension that, if malicious or buggy, could access highly sensitive browsing data (cookies, history, bookmarks, network traffic) — proceed only after verification and containment.
Guidance: This skill appears to do what it says (control your existing Chrome), but it requires installing an unpacked Chrome extension and a global native bridge that can read cookies, history, bookmarks, and capture network traffic — this is powerful and risky. Before installing: 1) Verify the publisher and repository (inspect the GitHub repo and npm package author, recent commits, and issues). 2) Review the extension and bridge source code (or ask a trusted reviewer) to confirm they do only the advertised MCP work and do not exfiltrate data. 3) Load and test in a dedicated/sandbox Chrome profile with no sensitive logins or data (or in a disposable VM/container). 4) Limit the agent's autonomy (require user invocation or disable automatic invocation) while you evaluate behavior. 5) After testing, remove the extension and uninstall the global package if not needed. 6) Prefer signed extensions or official store distribution and integrity checks (checksums, signatures). If you cannot verify the code and provenance, treat this as high-risk and avoid installing it in your main browser profile.

Review Dimensions

Purpose & Capability: okThe name/description (Chrome automation using MCP) matches the SKILL.md: it documents navigation, screenshots, form filling, history/bookmark access, and network capture. The capabilities requested are consistent with automating and interacting with an existing Chrome instance.
Instruction Scope: concernThe runtime instructions instruct the user to install a global npm native bridge and load an unpacked Chrome extension that will connect to a local MCP server. Those components explicitly enable access to browsing history, bookmarks, existing login sessions (cookies), console output, and network request capture — all highly sensitive. The SKILL.md does not instruct the agent to exfiltrate data, but it gives the skill the ability to read and act on personal data in the browser (and to send requests using browser cookies). There is no guidance in the document about limiting scope or auditing the extension/bridge code.
Install Mechanism: noteThere is no formal install spec in the skill bundle, but SKILL.md instructs the user to install an npm package globally (mcp-chrome-bridger) and to load a Chrome extension from a GitHub Releases archive. npm and GitHub Releases are common distribution channels, but the referenced repo/author (femto/mcp-chrome) and package are not accompanied by provenance, integrity checks, or a homepage. Installing a global binary and an unpacked extension is persistent and can be abused if the source is untrusted.
Credentials: concernThe declared requirements list no environment variables or binaries, but the SKILL.md effectively requires installing software that will access browser internals (cookies, history, bookmarks) and run a local server. The skill requests broad, sensitive browser-level privileges that are proportionate to implementing 'use existing sessions' but are not explicitly declared or constrained in the metadata — there is a mismatch between the metadata (no credentials/config) and the real runtime privileges the extension + bridge will gain.
Persistence & Privilege: concernAlthough always:false, the installation flow includes a persistent Chrome extension and a globally installed native bridge that can run a background local server (e.g., listening on localhost:12306). These create ongoing local presence and a long‑lived channel into the browser if left installed. The skill does not describe uninstall/verification steps or least-privilege controls.