ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nextbrowser

v1.0.22

Use Nextbrowser cloud API to spin up cloud browsers for Openclaw to run autonomous browser tasks. Primary use is creating browser sessions with profiles (per...

17· 3.1k·3 current·3 all-time
byArtem Popov@highxshell
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the instructions: the SKILL.md describes spinning up cloud browsers, profiles, proxies, and credential management against nextbrowser API endpoints — these capabilities align with the stated purpose.
Instruction Scope
Instructions only call Nextbrowser endpoints (app.nextbrowser.com) and describe profile, proxy, and credentials operations which are expected. However, the SKILL.md instructs the agent to read an OpenClaw config path (skills.entries.next-browser.apiKey) for the API key — that access was not declared in the registry metadata and should have been.
Install Mechanism
Instruction-only skill with no install steps or downloads — minimal disk/write risk.
!
Credentials
No env vars or config paths are declared in the registry metadata, yet the runtime docs require an API key stored in OpenClaw config. The skill will cause user account credentials, proxy credentials, and persistent browser profile data to be sent to Nextbrowser (expected for this functionality) — ensure you trust the external service before supplying sensitive data.
Persistence & Privilege
always:false and default autonomous invocation settings. The skill does not request permanent system-wide presence or modify other skills; normal autonomous invocation capability applies.
What to consider before installing
This skill appears to do what it says (manage cloud browser sessions, profiles, proxies). Before installing: 1) Note the SKILL.md reads your OpenClaw config key at skills.entries.next-browser.apiKey but the registry metadata does not list that config path — ask the publisher to declare it. 2) Only provide a Nextbrowser API key you trust and consider creating a dedicated, limited key for this skill. 3) Understand that browser profiles and credential entries (cookies, logins, proxy usernames/passwords) will be stored or transmitted to Nextbrowser — do not upload secrets you wouldn't want the external service to see. 4) If you plan to allow autonomous agent runs, remember the agent can use these browser sessions to act on your accounts; limit scope and monitor activity. 5) Verify Nextbrowser's real domain and privacy/security docs (docs.nextbrowser.com and app.nextbrowser.com) and confirm account retention/purge policies. If the publisher can update the skill metadata to declare the config path (or require an explicit env var) and document the exact data flows, this lowers the risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk974vk986zfa7esbhayjw0v85x840sxn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments