ClawHub

CatFee Dokobot

SuspiciousAudited by ClawScan on May 10, 2026.

Overview

This skill is coherent browser automation, but it can read authenticated pages through your real Chrome session without clearly limiting which accounts, profiles, or private data it may access.

Install only if you are comfortable granting browser-automation access to a real Chrome session. Prefer a separate Chrome profile, verify the Dokobot tooling, review each URL before use, and avoid logged-in pages containing sensitive personal, financial, or business data unless that access is intentional.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ConcernHigh Confidence
ASI03: Identity and Privilege Abuse
What this means

The agent could read private content from sites where you are already logged in and place that content into the conversation or tool output.

Why it was flagged

The skill explicitly supports authenticated/session-based browsing through the user's real Chrome environment, but does not bound which Chrome profile, sites, accounts, or private pages may be read.

Skill content
pages that require login/session ... Chrome must be open with the Dokobot extension enabled for `--local` mode to work
Recommendation

Use a dedicated Chrome profile with only the accounts needed for the task, approve each authenticated URL explicitly, and avoid using this skill on sensitive accounts unless you intend that content to be read.

NoteHigh Confidence
ASI04: Agentic Supply Chain Vulnerabilities
What this means

Installing the external tooling may add software that can interact with your browser outside the reviewed skill text.

Why it was flagged

The skill depends on external global CLI, browser extension, and bridge components that are not included or version-pinned in the provided artifacts. This is expected for the stated browser-automation purpose, but users must trust those external components.

Skill content
`npm install -g @dokobot/cli` ... Chrome browser with Dokobot extension installed ... `dokobot install-bridge`
Recommendation

Verify the Dokobot CLI, extension, and bridge from trusted sources, review their permissions, and keep them updated or remove them when no longer needed.