Skillv1.0.0

ClawScan security

pinchtab-skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 6, 2026, 7:56 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions, environment settings, and documented APIs are consistent with a local Chrome-control tool; nothing in the package asks for unrelated credentials or side effects, but it legitimately requires careful operational hygiene (dedicated profiles, local binding, token) and you must trust/obtain the external pinchtab binary separately.
Guidance: This skill is coherent with its stated purpose, but you must make operational choices carefully: 1) Do not point BRIDGE_PROFILE at your everyday Chrome profile — create and use an empty dedicated profile to avoid exposing saved logins. 2) Keep BRIDGE_BIND=127.0.0.1 and set BRIDGE_TOKEN if the service is reachable from any network; if you must bind publicly, restrict access with firewall rules. 3) Avoid disabling the Chrome sandbox (BRIDGE_NO_SANDBOX) unless you understand the risk. 4) There is no packaged installer or bundled binary — verify and obtain the pinchtab executable from a trusted source before running. 5) If you plan to allow an autonomous agent to call this API, consider limiting its permissions and monitoring requests/logs. If you want a deeper assessment, provide the pinchtab binary source or a release URL so I can evaluate install provenance and the binary itself.

Review Dimensions

Purpose & Capability: okName/description claim a local HTTP API to control Chrome; all included docs and examples show use of a local pinchtab binary and a local HTTP API on port 9867. The declared requirements are minimal (no env vars required by the registry), which matches the instruction-only nature of the skill. Nothing in the docs asks for unrelated services or secrets.
Instruction Scope: noteSKILL.md instructs the agent to start and call a local pinchtab process and to interact with its HTTP endpoints (navigate, snapshot, action, etc.). This stays within the stated browser-automation scope. Important caveat: the docs explicitly note that if you point PinchTab at a Chrome profile containing saved logins/cookies, the agent (and any callers of the API) can access authenticated sites. The instructions also encourage binding and tokens, which is good, but they implicitly permit disabling Chrome sandbox (BRIDGE_NO_SANDBOX) and changing bind address — both are powerful options that increase risk if misused.
Install Mechanism: noteThere is no install spec — lowest-risk delivery in that nothing is written by the skill package itself. However, that means the skill expects an external 'pinchtab' binary already present; obtaining and verifying that binary is the user's responsibility. The documentation does not include a trusted download/source or release host; verify the origin of the pinchtab binary before running.
Credentials: noteThe skill does not require unrelated secrets. Documented environment variables (BRIDGE_BIND, BRIDGE_PORT, BRIDGE_TOKEN, BRIDGE_PROFILE, BRIDGE_BLOCK_IMAGES, etc.) are relevant to its function. Two environment-related concerns to be aware of: (1) BRIDGE_PROFILE can give the process access to cookies/saved passwords if you point it at your daily Chrome profile; (2) BRIDGE_BIND set to 0.0.0.0 or omitting BRIDGE_TOKEN exposes the API to the network. The docs call these out, which is appropriate.
Persistence & Privilege: okThe skill is instruction-only and not always-enabled; it does not request persistent elevated platform privileges, nor does it modify other skills or global agent configuration. Autonomous invocation is allowed (platform default), which is expected for a skill that will make local HTTP calls; this increases blast radius only if you run the pinchtab service with an unsafe configuration (public bind, no token, or shared profile).