Skillv1.0.7

ClawScan security

Virtual Desktop — Universal Browser Execution · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 15, 2026, 12:32 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill does what it claims (creates a persistent authenticated browser sidecar and automates interactions) and its requirements and code largely match that purpose, but it takes actions that materially increase attacker blast radius (persistent sessions, exposed VNC/CDP ports, automatic edits to compose/config files and a weak default password) so proceed with caution and isolation.
Guidance: This skill appears to be internally consistent with its stated purpose, but it materially increases the risk that an agent (or an attacker who controls the agent) can act as logged-in users and access arbitrary sites using persisted sessions. Before installing: - Do not run on a production or multi-tenant host; deploy in an isolated VM/VPS or sandbox. - Review and set a strong VNC_PW in .env before starting; avoid the default 'CHANGE_ME_NOW'. - Avoid exposing ports 6901 (noVNC) and 9222 (Chrome CDP) to the public internet; restrict access via firewall/VPC or use SSH/VPN tunneling. - Understand optional API keys: CAPSOLVER (paid CAPTCHA solver) and BROWSERBASE (residential proxy) can enable bypassing anti-bot protections—only add them if you trust the provider and need the capability. - Confirm how Telegram notifications are delivered; if you do not want Telegram notifications, remove TELEGRAM_BOT_TOKEN and verify behavior. - Audit browser_control.py and SKILL.md yourself (or have a developer review) for any hardcoded endpoints or unexpected network calls; the code does call api.capsolver.com and api.anthropic.com as advertised. - If you must use it, limit the agent's permissions, rotate or revoke sessions regularly, and consider making browser profiles ephemeral instead of permanent to reduce long-term exposure.

Review Dimensions

Purpose & Capability: okThe name/description (persistent authenticated browser via a kasmweb/chrome Docker sidecar) matches the declared binaries (docker, python3, openclaw), the required env vars (VNC_PW, BROWSER_CDP_URL), and the code (browser_control.py) which implements CDP/Playwright, CAPTCHA solving, and Claude Vision. Optional API keys (CapSolver, Browserbase, Anthropic) are appropriate to the advertised features.
Instruction Scope: concernRuntime instructions automatically edit docker-compose.yml, .env and openclaw.json, map ports 6901 and 9222, create a persistent Docker volume for browser profiles, and direct the agent to use stored authenticated sessions indefinitely. These actions are coherent with the feature set but significantly broaden scope: they persist cookies/sessions that allow the agent to act as logged-in users, expose remote VNC/CDP endpoints if host port mappings are used, and default to a weak VNC_PW value ('CHANGE_ME_NOW') unless the principal changes it.
Install Mechanism: okNo external install script or remote download is used; this is instruction-plus-local Python script editing configuration files and a contained Python control script. That lowers supply-chain risk compared with arbitrary remote downloads.
Credentials: noteRequired env vars (VNC_PW, BROWSER_CDP_URL) are proportional. Optional keys (CAPSOLVER_API_KEY, BROWSERBASE_API_KEY, ANTHROPIC_API_KEY, TELEGRAM_BOT_TOKEN) map to advertised capabilities. Minor inconsistency: SKILL.md metadata claims Telegram uses the existing agent channel 'no separate token required' while TELEGRAM_BOT_TOKEN is listed as optional—clarify how Telegram notifications are delivered. Also be aware CapSolver and Browserbase imply costs and privacy tradeoffs.
Persistence & Privilege: noteThe skill requests persistent presence of a browser profile (Docker volume) and modifies OpenClaw configuration (openclaw.json) to enable a browser profile. It does not set 'always: true'. Modifying agent/platform config and creating long-lived authenticated browser sessions increases privilege and long-term access surface but is consistent with the skill's functionality.