urlgo
PassAudited by VirusTotal on May 6, 2026.
Overview
Type: OpenClaw Skill Name: urlgo Version: 6.5.1 The skill bundle provides documentation and instructions for 'urlgo', a browser control CLI tool using the Chrome DevTools Protocol (CDP). The SKILL.md file outlines standard browser automation capabilities such as navigating to URLs, taking screenshots, and executing JavaScript, while providing technical guidance on process management and path configuration to ensure reliability. No evidence of malicious intent, data exfiltration, or prompt injection was found; the instructions are strictly aligned with the stated purpose of browser automation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could interact with webpages, enter text, click controls, or run JavaScript in a page when directed to use this skill.
The skill exposes direct browser automation actions, including arbitrary JavaScript execution and page interaction. This is expected for a browser-control CLI, but it can perform high-impact actions on webpages if used carelessly.
`urlgo eval <id> "<js>"` | 执行 JS ... `urlgo click <id> "<sel>"` ... `urlgo type <id> "<sel>" "<text>"`
Use it only on pages you intend to automate, and review/approve actions that could submit forms, change account data, or run custom JavaScript.
The skill may fail unless an external urlgo command exists, or the agent may end up running a urlgo executable that was not included in this reviewed artifact set.
The instructions rely on a urlgo script/CLI and dependencies, but the registry says there is no install spec and no code files are present. This is an incomplete provenance/install context rather than direct malicious evidence.
`urlgo` 脚本不在系统 PATH 中 ... 使用 skill base dir 全路径调用 `python3 <skill_dir>/urlgo` ... 依赖: curl, websockets(Python)
Before use, confirm where the urlgo command comes from and install dependencies from trusted sources.
A controlled browser process may remain running after the task, which could leave CDP/browser state active until the browser is closed.
The skill documents launching a browser in a detached/background process. That is purpose-aligned for CDP automation, but users should know it may continue after the immediate command finishes.
改用 `subprocess.Popen(start_new_session=True)`(Linux)或 `DETACHED_PROCESS`(Windows)... 启动浏览器(后台运行,不会阻塞)
Close the browser when finished and prefer a documented stop/cleanup workflow if one is available.