Skillv1.0.0

ClawScan security

Use My Browser · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 9, 2026, 1:53 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill does what it claims (run arbitrary JS in your real Chrome session via a Tampermonkey userscript), but its runtime instructions permit broad access to cookies, login sessions, and page DOM and require installing a third-party userscript — which is high-risk and not constrained by the SKILL.md.
Guidance: This skill is coherent with its description but potentially dangerous: it instructs running arbitrary JavaScript inside your real Chrome sessions (sharing cookies and logins) by installing a third‑party Tampermonkey userscript. Before installing or using it: (1) review the exact userscript source on GitHub line-by-line to ensure it doesn't exfiltrate data or phone home; (2) inspect the openclaw-tmwd plugin's code and npm page; (3) avoid using it on sensitive sites (banking, email, etc.) and consider testing with a throwaway profile; (4) require explicit human confirmation before the agent performs actions that submit forms or read private pages; and (5) if you cannot fully audit the userscript/plugin, do not install — the capability to act with your browser's auth is equivalent to giving the skill powerful access to your accounts.

Review Dimensions

Purpose & Capability: noteThe name/description match the instructions: the skill explicitly instructs the agent to control the real Chrome browser via a Tampermonkey userscript and an openclaw plugin. Reusing login sessions is part of the stated purpose, so the requested capabilities are coherent with the skill's stated goal.
Instruction Scope: concernThe SKILL.md instructs the agent to execute arbitrary JavaScript in pages (tmwd_exec), read visible text, and interact with DOM elements. That grants the agent the ability to access cookies, localStorage, and any data the logged-in browser session can access (including sensitive pages). The instructions do not impose scope limits, per-action confirmation, or safe-usage constraints; they also provide examples that could be used to exfiltrate data (e.g., arbitrary JS with fetch/XHR).
Install Mechanism: concernThere is no packaged install spec, but the SKILL.md tells the user to install an openclaw plugin and to install a Tampermonkey userscript from a raw.githubusercontent.com URL (owner: lsdefine). Pulling and running an external userscript is high-risk: the script runs with page privileges and comes from a third-party account with no homepage or trust signals in the skill metadata. This is disproportionate unless the userscript and plugin are audited by the user.
Credentials: noteThe skill requests no environment variables or system credentials, which is proportionate. However, it depends on browser-level credentials (cookies/session state) implicitly; those are effectively powerful secrets because the skill reuses the user's login sessions and can act as the user on visited sites.
Persistence & Privilege: concernalways is false (good), but the agent may invoke the skill autonomously. Combined with the skill's ability to run arbitrary JS in the user's active browser session, this increases the blast radius: an autonomously-invoked agent could perform actions in the user's identity without per-action confirmation. The SKILL.md does not require explicit user confirmation for actions that interact with sites or submit forms.