chrome_skill
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This is a powerful Chrome automation skill, but it auto-installs and runs an unpinned browser-control bridge that can access cookies, browser storage, files, and a persistent local Chrome session.
Install only if you are comfortable giving the agent broad Chrome control. Prefer a dedicated Chrome profile with no sensitive logins, manually verify and pin the npm package, run without admin privileges, and stop the bridge after use.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A changed or compromised npm package could run local code and control Chrome outside the reviewed skill files.
First use can install a global npm package without a pinned version or included package source, and that package supplies the browser-control bridge.
execSync('npm install -g chrome-ai-action', { stdio: 'inherit' });Pin and verify the package version, provide reviewed source or a lockfile, and avoid automatic global installs; install manually in a sandbox or project-local location when possible.
Installing the skill causes commands and a local process to run on the user’s machine.
The startup flow executes local shell commands and launches a child process. This is disclosed and purpose-aligned for starting the bridge, but users should notice it.
const { execSync, spawn } = require('child_process'); ... spawn(command, ['--port', String(BRIDGE_PORT)], {Run it only as a normal user after reviewing the startup behavior, and avoid elevated privileges unless absolutely necessary.
The agent or bridge could read or alter logged-in website sessions in the controlled Chrome profile.
The bridge exposes cookie read/write operations, which can include website session tokens, without documented domain/profile scoping or approval requirements.
### `getCookies` No params. Returns all cookies. ... ### `setCookie` / `deleteCookie`
Use a dedicated throwaway Chrome profile, avoid logging into sensitive accounts, and require explicit user approval before cookie or session actions.
If misused, the agent could submit forms, change account data, upload local files, or alter page behavior beyond the user’s intended task.
The API includes raw page JavaScript execution and local file upload/download operations, but the artifacts do not define safety gates or limits for high-impact browser actions.
### `evaluate` ... {"action": "evaluate", "params": {"code": "document.querySelector('h1').textContent"}} ... `uploadFile` ... `downloadFile`Add explicit confirmation requirements for account changes, file transfers, cookie/storage access, and JavaScript execution; scope actions to user-specified sites and files.
Other local processes or agents with access to the port may be able to issue browser-control requests if the bridge lacks protections.
The skill relies on a localhost HTTP bridge for powerful browser actions, but the artifacts do not document authentication, origin checks, or caller identity boundaries.
**Endpoint**: `http://127.0.0.1:9876/` ... `POST` | `/` | Execute action(s)
Require an authentication token, randomize or restrict the port, document caller boundaries, and stop the bridge when it is not in use.
Browser-control capability may remain available after the original task is finished.
The bridge is intended to keep running in the background, but no clear stop condition, cleanup command, or lifetime limit is provided.
the script runs the bridge as a **background child process** — the agent does NOT need to manage the process separately
Provide explicit shutdown instructions, limit the bridge lifetime to the active task, and use an isolated Chrome profile for automation.