ClawHub

AIGroup Browser Skill

v0.1.1

Open pages with the real CN or global browser profile on spark and return the live page title plus final URL. Use this instead of web_fetch, search, canvas,...

0· 85·0 current·0 all-time
byjackdark@jackdark425
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name, description, SKILL.md, and the included Python script all align: they call local 'oc-cn' / 'oc-global' / 'oc-browser' wrappers and query local CDP endpoints to return a page title and final URL. One mismatch to be aware of: the script uses hard-coded absolute command paths under /home/jack/.local/bin (CN_CMD/GLOBAL_CMD/AUTO_CMD) while the metadata only lists generic binary names (oc-cn, oc-global, oc-browser). This is an operational inconsistency (it will fail on hosts where the binaries are installed elsewhere) but not evidence of malicious intent.
Instruction Scope
SKILL.md instructs the agent to invoke the provided script with a JSON payload and to prefer the real browser over web_fetch/search/canvas/nodes when requested. The script only contacts localhost CDP endpoints (127.0.0.1 on expected ports), runs the oc-* command to open the URL, and returns the page title and final URL. It does not read other files or environment variables, nor does the SKILL.md direct data to external endpoints.
Install Mechanism
This is instruction-only with a small Python script included; there is no install spec that downloads or extracts code from remote URLs. Risk from installation is therefore low. The skill expects existing local binaries; it does not install third-party packages itself.
Credentials
The skill requires no credentials or environment variables. It uses only local binaries and localhost HTTP endpoints for the browser CDP. The requested resources are proportional to the stated goal. Note: the script's hard-coded paths assume a specific user's home layout, which is operationally unnecessary and should be adjusted.
Persistence & Privilege
The skill is not always-enabled, does not request system-wide persistence, and does not modify other skills or global agent configuration. It only runs when invoked and prints a JSON result.
Scan Findings in Context
[no_findings] expected: Static pre-scan reported no suspicious patterns. The included Python script is short, readable, and consistent with the declared behavior (subprocess.run of local oc-* wrappers and localhost CDP queries).
Assessment
This skill appears to do what it says: open a URL in a local browser profile and return the live title and final URL. Before installing, verify the following: 1) Confirm the oc-cn / oc-global / oc-browser binaries on the target host are the expected, trusted wrappers and not untrusted scripts—inspect or run them manually. 2) Update the script to use the binaries from PATH (e.g., 'oc-cn') or adjust the absolute paths to match your host; the current /home/jack/.local/bin hard-coded paths are developer-specific and will likely fail elsewhere. 3) Confirm the CDP ports (127.0.0.1:18810 and :18800) are local-only and not exposed externally. 4) If you deploy in a high-security environment, run the skill in a sandboxed/test workspace first to validate behavior. These are operational hygiene checks rather than indications of malicious behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk970m9e7vwn6xp4z391qxnkfv983tmx9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌐 Clawdis
Binspython3, oc-cn, oc-global, oc-browser

Comments