Browser Setup (No-Root Linux)
Security checks across malware telemetry and agentic risk
Overview
This skill appears to do what it claims—install a user-local headless Chrome setup—but users should notice that it downloads external packages and recommends no-sandbox/CDP browser settings.
Install only if you need a no-root Linux headless Chrome setup for OpenClaw. Review the script first, run it in a trusted container or server account, keep the Chrome debugging port restricted, and be aware that it creates persistent files under your home directory and configures OpenClaw to use an unsandboxed headless browser.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The installed browser and libraries come from Google and the system's configured apt repositories; if those sources are unavailable, changed, or compromised, the local browser setup could be affected.
The installer downloads the latest Chrome package and dependency packages from external package sources without explicit version pinning or checksum verification. This is central to the stated install purpose, but it means the setup trusts upstream package delivery.
wget -q -O "$TMP_DIR/chrome.deb" \ https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb ... apt-get download "$pkg" 2>/dev/null || true
Run the installer only in a trusted environment, prefer trusted apt repositories, and pin versions or verify package checksums if your environment requires stronger supply-chain controls.
On a shared or exposed host, an accessible debugging port or unsandboxed browser could increase the impact of a browser compromise or unintended browser control.
The skill recommends disabling Chrome's sandbox and using a Chrome DevTools Protocol debugging port. These settings are common for headless browser automation in containers, but they are sensitive because CDP can control the browser instance and no-sandbox lowers isolation.
openclaw config set browser.noSandbox true ... --remote-debugging-port=18800 \ ... --no-sandbox
Use this setup in an isolated Linux/container environment, restrict the debugging port to local/trusted access, avoid using it on shared desktops, and enable sandboxing when your environment supports it.
OpenClaw browser operations may run this wrapper in future sessions, so changes to the wrapper or its directories could affect browser execution.
The setup script creates an executable wrapper script in the user's home directory. This generated executable is expected for the browser setup, but it is still a persistent local command that OpenClaw may later use.
cat > "$WRAPPER" << WEOF
#!/bin/bash
export LD_LIBRARY_PATH=${LIBS_DIR}/lib\${LD_LIBRARY_PATH:+:\$LD_LIBRARY_PATH}
export FONTCONFIG_FILE=${FC_CONF}
exec ${CHROME_BIN} "\$@"
WEOF
chmod +x "$WRAPPER"Keep the wrapper in a trusted user-owned directory, avoid editing it with untrusted content, and remove ~/local-libs/chrome-wrapper.sh and related config if you no longer want this browser setup.