Browser Automation (CDP)
WarnAudited by ClawScan on May 18, 2026.
Overview
This skill appears to do browser automation as advertised, but it gives the agent broad control over your logged-in browser sessions and includes under-scoped cookie/session guidance, so it should be reviewed carefully before use.
Install only if you are comfortable giving the agent control of a browser session. Prefer a separate browser profile with only the needed accounts logged in, close the debug-enabled browser after use, avoid cookie-database access, and manually approve any action that submits forms, changes account data, downloads files, or interacts with private pages.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could act through your existing website sessions, and cookie/session data could be exposed or used more broadly than a normal website interaction.
The skill is designed to operate through an already logged-in daily browser profile and even suggests directly reading the browser cookie SQLite store for HttpOnly cookies, while the registry declares no primary credential or scoped credential contract.
方式 A:用你日常的 Edge(推荐,已登录) ... HTTP-only Cookie ... 考虑从浏览器文件直接读取 SQLite
Use a dedicated isolated browser profile, log in only to the needed site, do not read browser cookie databases, and require explicit approval for any account-changing action.
A mistaken or over-broad agent instruction could read page data, click controls, submit forms, or modify logged-in accounts in the browser.
The module exposes raw JavaScript execution in the controlled browser page without domain allowlists, read-only mode, or built-in confirmation before sensitive actions.
async eval(script, returnByValue = true) { ... method: 'Runtime.evaluate', params: { expression: script, returnByValue } }Restrict use to trusted sites, prefer read-only extraction when possible, and add human confirmation before clicks, form submissions, purchases, account changes, or data downloads.
The agent could inspect or act on the wrong existing tab if a command is run before an explicit navigation or tab selection.
For a generic browser automation skill, silently attaching to an existing Bilibili tab when no tab is selected is an unexpected scope choice and may use a logged-in session the user did not intend for the current task.
const existing = tabs.find(t => t.url.includes('bilibili.com')); if (existing) { this._tabId = existing.id; ... return; }Require explicit tab selection or always create a new blank tab unless the user names an existing tab/site to control.
Other local processes or later agent actions may be able to control the browser until it is closed or restarted without remote debugging.
The setup asks the user to start the daily browser with a CDP debugging port; this is user-directed, but the elevated control channel remains available while that browser stays open.
Start-Process "...msedge.exe" --remote-debugging-port=9222
Close the debug-enabled browser after the task, use an isolated profile, and avoid leaving CDP ports open during normal browsing.
The skill may fail or load whatever module is present at that local path, making behavior harder to reproduce or audit.
The dependency is loaded from an absolute global path outside the skill package rather than a declared, pinned local dependency; this is likely portability/provenance debt rather than evidence of exfiltration.
const WebSocket = require('/home/yeying233/.npm-global/lib/node_modules/openclaw/node_modules/ws');Package or declare the WebSocket dependency normally, remove developer-specific absolute paths, and align the included metadata/docs with the registry entry.