Skillv1.0.0

ClawScan security

automation browser · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 14, 2026, 2:41 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose (controlling a local QQ Browser kernel), but the included install scripts download and install native binaries and a Python wheel from remote URLs and start a background service — actions that raise moderate operational and supply-chain concerns that users should understand before installing.
Guidance: This skill appears to implement what it claims, but the installer will download and install native packages and a Python wheel and start a background service on your machine. Before you install: (1) Confirm the download URLs and package publisher (the script points at a QQ domain) and prefer signed releases or vendor instructions; (2) Run the installer in a VM or isolated environment first — the script may require root to run apt/dpkg/yum and will write to /usr/local and create a background process; (3) Be cautious about pip3 --break-system-packages which can alter system-managed Python packages; (4) Understand that the x5use binary will run a local SSE server on port 18009 — if other services expose that port it could be reachable; (5) If you need stricter safety, avoid running the install script as root, review the x5use binary source or obtain it from a verifiable upstream, or prefer a sandbox/container deployment. If you want, I can point out exact lines that start processes, download files, or create system paths, or help draft a safer install plan (containerized or with checksum verification).

Review Dimensions

Purpose & Capability: okName/description align with what the files do: Python wrappers call a local MCP (x5use) service to automate a browser. The required binary (python3) and provided scripts are coherent with browser automation.
Instruction Scope: okSKILL.md clearly documents installing QQ Browser and the x5use service, starting the service, and running per-action scripts. The runtime instructions do not request unrelated files or credentials and confine actions to the local MCP service and browser automation tasks.
Install Mechanism: concernInstallation uses an included shell script that downloads .deb/.rpm and a .whl from a remote URL and runs dpkg/apt/yum and pip3 (--break-system-packages). Although the download host appears to be a QQ domain, the pattern (curl + dpkg/yum + pip install of a wheel) is a higher-risk supply-chain operation because it installs native binaries and third-party Python code on the host.
Credentials: okThe skill requests no environment variables or unrelated credentials. It does require the ability to write system directories (creating /usr/local/qb_logs) and to install system packages, which is proportionate to installing a browser and service but does require elevated filesystem and package-manager access.
Persistence & Privilege: noteThe skill will start (and can start) a persistent background binary service (x5use-linux-mcp) that listens on localhost:18009 and creates a log directory under /usr/local. This is expected for local automation but increases the attack surface (a native binary running as a background process). 'always' is false and agent autonomy is default (no special gating).