Skillv4.0.1

ClawScan security

Virtual Desktop Pro v4 -- Universal Browser Execution · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 15, 2026, 11:48 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and required environment are coherent with a persistent authenticated browser sidecar: it needs Docker, a VNC password, and a Chrome CDP endpoint and uses optional third-party keys for CAPTCHA, proxies, and vision — nothing requested appears unrelated to its stated purpose.
Guidance: This skill appears to do what it claims, but it grants the agent broad access to any sites you log into via the persistent browser and uses optional third‑party services that can receive data (screenshots, pages) and incur costs. Before installing: 1) Back up your docker-compose.yml; review the one‑liner change before applying. 2) Run the browser sidecar on an isolated VPS or test environment first. 3) Restrict access to port 6901 (prefer SSH tunnel or firewall rule to your IP). 4) Use a strong VNC_PW and rotate it if you stop using the skill. 5) Only set CAPSOLVER/BROWSERBASE/ANTHROPIC/TELEGRAM keys if you trust those services; expect CAPTCHA screenshots and page content to be transmitted. 6) Inspect the kasmweb/chrome image version and consider pinning/updating it from an official source. 7) Monitor /workspace/logs and audit the AUDIT.md and screenshots for unexpected activity. If you want higher assurance, ask the publisher for provenance of the repo and a signed release or run the container with network egress rules to limit external destinations.

Review Dimensions

Purpose & Capability: okName/description (persistent Chrome sidecar + authenticated sessions) align with required binaries (docker, python3), required env vars (VNC_PW, BROWSER_CDP_URL) and the included browser_control.py. External services listed (CapSolver, Browserbase, Anthropic) are optional and match features (CAPTCHA solving, residential proxy, Claude Vision).
Instruction Scope: noteSKILL.md instructs the agent to edit docker-compose.yml, create a persistent Docker volume, open port 6901 (or use SSH tunnel), and write logs/screenshots and learning files into /workspace. It also uses Telegram notifications for CAPTCHA/manual actions. These are all within the scope of running a persistent browser, but they do grant broad access to any sites you log into and may send screenshots/notifications externally (Telegram). The skill also reads some workspace files for context (/workspace/TOOLS.md, .learnings/*) — this is reasonable but worth noting if those files contain sensitive data.
Install Mechanism: noteThere is no formal install spec, so installation is instruction-driven (pull kasmweb/chrome via Docker, install Playwright/requests in the container). Pulling a ~2GB Docker image is expected. The repo doesn't contain opaque external download URLs; the main runtime download is the official kasmweb/chrome image and Python packages. Confirm you are comfortable pulling that image and the network access required to fetch Playwright runtimes.
Credentials: noteRequired env vars (VNC_PW, BROWSER_CDP_URL) are proportional to a noVNC/CDP browser sidecar. Optional keys (CAPSOLVER_API_KEY, BROWSERBASE_API_KEY, ANTHROPIC_API_KEY, TELEGRAM_BOT_TOKEN) are justified by their named features. Caveats: providing these keys gives the skill ability to send data to third-party services (CAPSolver, Browserbase, Anthropic) and will incur costs; Telegram notifications may include screenshots or session status and could leak sensitive content if the Telegram channel is not private.
Persistence & Privilege: okThe skill requests persistent sessions (Docker volume 'browser-profile') and writes logs/screenshots into /workspace, which is consistent with its purpose. always:false and no modification of other skills' configs are used. Autonomous invocation is allowed by default but not uncommon; combine with the above (persistent sessions + optional external keys) only if you trust the runtime and keys.