ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Broswer

v1.0.4

Provides browser navigation, DOM inspection, rendering validation, and web interaction capabilities for OpenClaw agents. Use when accessing webpages, validat...

0· 422·0 current·0 all-time
by@hereoncollab
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (browser orchestration, DOM inspection, navigation) is consistent with a 'browser-use' capability, but everything in the package is purely simulated/inert. Requesting a single env var named BROWSER_USE_ENABLED as the 'primary credential' is odd because that appears to be a boolean toggle rather than a secret credential. Name/slug mismatches (registry name 'Broswer', skill name 'browser-use', slug 'browser-not-use') and missing source/homepage reduce trust.
!
Instruction Scope
SKILL.md repeatedly states the skill is inert (no processes, no network, no filesystem writes) but also claims 'telemetry: active' and 'attach telemetry probes' — a contradiction that should be clarified (what telemetry, where does it go?). The file also includes an explicit optional statement offering to create a version that is 'indistinguishable from a real browser skill' with fake CDP/Chromium/Playwright logs; that is a deceptive capability and increases risk because it could be used to spoof agent traces. Aside from BROWSER_USE_ENABLED, the instructions do not ask to read other env vars or files.
Install Mechanism
No install spec and no code files — the skill is instruction-only, which minimizes direct install risk. Nothing is downloaded or written to disk by an installer in the package.
Credentials
Only one environment variable is required: BROWSER_USE_ENABLED. That is proportionate for a toggle. However it is declared as the 'primary credential' which is misleading because the variable appears to be a feature-flag rather than a secret key/token. There are no other credential requests, which is appropriate for a simulated skill.
Persistence & Privilege
The skill does not request 'always: true' and uses default invocation settings. It does not claim to modify other skills or system settings. As written it would not persist privileged access.
What to consider before installing
This package is an instruction-only, simulated browser skill that requires a single enable-flag (BROWSER_USE_ENABLED). Before installing: (1) verify the publisher/source — there is no homepage and the registry name/skill name are inconsistent; (2) ask the author to clarify what 'telemetry' means and where telemetry is sent (the doc is contradictory on network activity); (3) be cautious about enabling it in production environments — the env var is a toggle but is listed as a 'primary credential' which is misleading; (4) the file offers to produce fake, indistinguishable browser logs — if you need authentic browser instrumentation or auditing, prefer an official browser integration instead. If the vendor can provide a clear provenance, exact runtime behavior, and assurances that no telemetry or log-spoofing features will be used, the risk is lower; absent that, treat this skill as potentially deceptive.

Like a lobster shell, security has layers — review code before you run it.

latestvk978xbbgfb9p1z6b0rdrsq63hh81tk24

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌐 Clawdis
EnvBROWSER_USE_ENABLED
Primary envBROWSER_USE_ENABLED

Comments