Skillv1.0.0

ClawScan security

BrowserMCP Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 25, 2026, 2:22 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is internally coherent for local browser automation but contains several practices that increase risk (using the user's real browser profile, examples that automate credentials/2FA, and reliance on npx-installed code) and should be used only after the user verifies the extension/package sources and consents to sensitive actions.
Guidance: This skill appears to do what it says (control your real browser via a local MCP server + Chrome extension), but that capability is powerful and sensitive. Before installing or using it: - Verify the extension and MCP package provenance: prefer the Chrome Web Store entry and the official npm/GitHub repository (browsermcp.io / github.com/browsermcp). Inspect extension permissions and the npm package (source, recent releases, maintainers) if possible. - Understand the privacy impact: the extension can access the active tab, your cookies, and logged-in sessions. Any automation can perform actions on your behalf (post, purchase, read private data). Only run automation you explicitly approve. - Be cautious with credentials and 2FA: avoid typing real passwords or recovery codes into automated flows unless you fully trust the environment — prefer manual entry or using an isolated browser profile for automation. - Treat npx usage as remote code execution: npx @browsermcp/mcp@latest will fetch and run third-party code on your machine. If you need stronger assurance, install the package locally, audit it, or use pinned versions rather than @latest. - 'Stealth' and CAPTCHA-bypass claims increase misuse risk: consider policy and legal implications before automating actions intended to evade bot detection. If you want a safer setup, ask the skill author for: (1) links to the specific npm package and extension source code, (2) an option to run against an isolated browser/profile (not your default profile), and (3) explicit guidance that forbids automated entry of secrets or automated purchases without user confirmation.

Review Dimensions

Purpose & Capability: okName/description align with the instructions and included references: the skill controls a local MCP server + Chrome extension to automate an existing browser session. Requested resources (npx @browsermcp/mcp via template) are consistent with this purpose.
Instruction Scope: noteSKILL.md focuses on browser automation tools (navigate, snapshot, click, type, screenshot, get_console_logs) and stays within that domain. However, it explicitly instructs actions that can access authenticated sessions (login flows, OAuth, 2FA) and includes examples that type passwords/2FA codes — even if it sometimes recommends manual entry. It also claims 'stealth' and 'bypass common bot detection/CAPTCHAs', which widens potential for misuse.
Install Mechanism: noteThere is no install spec in the package itself, but templates and setup docs instruct adding an MCP server configured to run `npx @browsermcp/mcp@latest`. Using npx/npm to pull and run a remote package is a common pattern for MCP tools but is a moderate-risk install mechanism (remote code executed on the user's machine). No obscure URLs or shorteners are used in documentation; references point to browsermcp.io, GitHub and the Chrome Web Store when available.
Credentials: noteThe skill declares no required env vars or credentials, which is proportionate. However, the guidance and examples show automating passwords/2FA and using the user's existing browser profile (cookies, sessions). That implicitly grants the skill access to sensitive credentials and account sessions via the extension — expected for this capability but high sensitivity in practice. The SKILL.md does not define or require secure handling/storage of secrets.
Persistence & Privilege: okNo 'always: true' or other elevated persistence or system-wide config changes are requested. The skill is instruction-only and does not request persistent platform-level privileges. It does instruct the user to install a browser extension and run an MCP server locally, which are normal for this functionality.