ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Browser Stagehand

v1.0.0

Automate web browser interactions using natural language via CLI commands. Use when the user asks to browse websites, navigate web pages, extract data from w...

0· 100·0 current·0 all-time
by@hsyhph
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description (browser automation) aligns with the CLI commands and examples. Using an LLM-backed Stagehand and a remote provider (Browserbase) is plausible for this purpose. However, the skill metadata claims no required env vars/binaries while the instructions clearly require or recommend ANTHROPIC_API_KEY and optionally BROWSERBASE_API_KEY / BROWSERBASE_PROJECT_ID, and Chrome — a discrepancy that should be explained.
!
Instruction Scope
SKILL.md and REFERENCE.md explicitly instruct the agent/user to read .env, check setup.json, use a persistent Chrome profile (.chrome-profile/), save downloads to ./agent/downloads/, and automatically choose remote vs local based on available API keys with 'No user prompting'. Those actions expand scope beyond a simple 'run this CLI' skill: reading .env (sensitive), persisting session cookies, writing downloads/screenshots to agent folders, and automatic non-interactive selection increase risk and should have been declared up-front.
Install Mechanism
The skill is instruction-only (no install spec) which is lower risk, but setup.json tells users to run `npm install` and `npm link` to create a global `browser` command. Installing arbitrary npm dependencies carries supply-chain risk and should be made explicit in registry metadata (package.json, exact dependency list, and source repo).
!
Credentials
Registry metadata lists no required env vars, but setup.json and docs instruct to provide ANTHROPIC_API_KEY and detect BROWSERBASE_API_KEY and BROWSERBASE_PROJECT_ID in .env. Those are sensitive credentials; requiring them makes sense for an LLM-driven and/or remote-browser service — but their absence from the declared `requires.env` is a clear mismatch and a red flag. Also using a persistent Chrome profile means the tool may access or retain cookies/session data.
Persistence & Privilege
The skill does not set always:true and does not request elevated agent privileges. However it deliberately uses a persistent Chrome profile and saves downloads/screenshots to agent directories, and configures Chrome to run off-screen. Persistence of .chrome-profile and automatic download behavior could cause long-lived local state (cookies, auth) and should be considered by users before enabling.
What to consider before installing
This skill appears to implement the advertised browser automation CLI, but the registry metadata omits important runtime requirements and behaviors. Before installing or running it, consider the following: (1) the docs expect an ANTHROPIC_API_KEY (and optionally Browserbase API keys) stored in .env or exported — do not place unrelated secrets there; (2) the tool uses a persistent Chrome profile (.chrome-profile) and will preserve cookies/sessions — use a dedicated profile or run in a disposable environment if you don't want session data retained; (3) downloads go to ./agent/downloads and screenshots to ./agent/browser_screenshots — review those directories and clean them after use; (4) the setup requires running `npm install`/`npm link` which installs external packages — inspect package.json and dependency sources before installing; (5) the skill auto-selects remote vs local mode without prompting, which could cause it to use remote services if API keys are present; (6) ask the publisher to update registry metadata to list required env vars (ANTHROPIC_API_KEY, optional BROWSERBASE_API_KEY/BROWSERBASE_PROJECT_ID), required binaries (Chrome), and to provide a source repository so you can inspect code. If you cannot verify these details, run the tool in an isolated container or VM and avoid sharing production credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk9739kptp9hnywj38ftvhctaxn83tn1r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments