Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
web-llm-chat
v1.0.0Chat with web-based LLMs through the Chrome Relay extension. Supports Qwen (chat.qwen.ai) and Kimi (kimi.com) via scripts; more sites may be added. Use for w...
⭐ 0· 182·0 current·0 all-time
by@godiao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (web-based LLM chat via Chrome Relay) matches the included code and docs: it connects to a local OpenClaw gateway/relay and a Qwen chat tab. However the registry metadata claims no required config paths or credentials, while the code expects an OpenClaw config file (openclaw.json) containing gateway.auth.token. That undeclared requirement is an inconsistency.
Instruction Scope
SKILL.md tells the agent to run the included Node script which connects to a local gateway and Relay, reads page content, and extracts responses. The runtime instructions and the script only target localhost (gateway/relay and local CDP via WebSocket) and the browser tab; there are no external network endpoints in the docs. The script does, however, instruct/require reading local OpenClaw config files to derive a relay token — this file access is outside what the metadata advertised and should be explicitly declared.
Install Mechanism
No install spec is provided (instruction-only with code files). The package.json only depends on the widely used 'ws' npm package; SKILL.md tells users to 'npm install ws'. There are no remote downloads or extraction of arbitrary archives in the skill bundle.
Credentials
The manifest lists no required environment variables or config paths, but the script reads openclaw.json from multiple filesystem locations (including E:\.openclaw\... and ~/.openclaw/...), extracts gateway.auth.token, and derives an HMAC relay token. Accessing that local token is sensitive and should have been declared as a required config/credential. The script also optionally reads an env flag for debug output (QWEN_CHAT_DEBUG_EXTRACT). Requiring access to a gateway auth token is proportionate for the stated operation, but the omission from declared requirements is a privacy/visibility concern.
Persistence & Privilege
The skill is not forced-always, does not request elevated platform-wide privileges, and does not modify other skills or system-wide config. It runs as a user-level Node script and communicates with local gateway/extension endpoints only.
What to consider before installing
Key things to consider before installing/running this skill:
- It will read your local OpenClaw configuration file (openclaw.json) to obtain gateway.auth.token and derive a relay token. This token is sensitive; the skill metadata does not declare this file/credential requirement — treat that as a privacy gap.
- The script connects to localhost (127.0.0.1) ports used by your OpenClaw gateway/relay and to the browser tab via CDP; it does not contact remote servers according to the provided code, but you should still review the source (scripts/qwen_chat.js) yourself before running.
- If you trust the skill: run it on a machine/account that contains only the necessary credentials, inspect outgoing network traffic (to ensure nothing is exfiltrating), and install npm dependencies from official registries.
- If you do not want the skill to access your gateway token, do not run it, or modify the script to accept the token via an explicit user-supplied environment variable or prompt and update the skill metadata to declare that requirement.
If you want higher confidence, ask the publisher to: (1) declare required config paths/credentials in the registry metadata, (2) add an option to pass the gateway token explicitly (instead of reading from disk), and (3) document exactly what files are read and why.Like a lobster shell, security has layers — review code before you run it.
latestvk97fvgmbp739as9n4f12tcahtd835g9x
License
MIT-0
Free to use, modify, and redistribute. No attribution required.