chrome_skill
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: chromeskill Version: 1.0.0 The skill provides extensive browser automation capabilities via a bridge service, including cookie extraction, local storage access, arbitrary JavaScript execution (`evaluate`), and file upload/download. The `scripts/startup.js` file automatically installs a global npm package (`chrome-ai-action`) and launches a background process on port 9876. While these features are aligned with the stated goal of browser automation, the broad permissions and the automated global installation of external code represent a significant security risk and potential for data exfiltration or unauthorized system access if the agent is misused or the external package is compromised.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A changed or compromised npm package could run local code and control Chrome outside the reviewed skill files.
First use can install a global npm package without a pinned version or included package source, and that package supplies the browser-control bridge.
execSync('npm install -g chrome-ai-action', { stdio: 'inherit' });Pin and verify the package version, provide reviewed source or a lockfile, and avoid automatic global installs; install manually in a sandbox or project-local location when possible.
Installing the skill causes commands and a local process to run on the user’s machine.
The startup flow executes local shell commands and launches a child process. This is disclosed and purpose-aligned for starting the bridge, but users should notice it.
const { execSync, spawn } = require('child_process'); ... spawn(command, ['--port', String(BRIDGE_PORT)], {Run it only as a normal user after reviewing the startup behavior, and avoid elevated privileges unless absolutely necessary.
The agent or bridge could read or alter logged-in website sessions in the controlled Chrome profile.
The bridge exposes cookie read/write operations, which can include website session tokens, without documented domain/profile scoping or approval requirements.
### `getCookies` No params. Returns all cookies. ... ### `setCookie` / `deleteCookie`
Use a dedicated throwaway Chrome profile, avoid logging into sensitive accounts, and require explicit user approval before cookie or session actions.
If misused, the agent could submit forms, change account data, upload local files, or alter page behavior beyond the user’s intended task.
The API includes raw page JavaScript execution and local file upload/download operations, but the artifacts do not define safety gates or limits for high-impact browser actions.
### `evaluate` ... {"action": "evaluate", "params": {"code": "document.querySelector('h1').textContent"}} ... `uploadFile` ... `downloadFile`Add explicit confirmation requirements for account changes, file transfers, cookie/storage access, and JavaScript execution; scope actions to user-specified sites and files.
Other local processes or agents with access to the port may be able to issue browser-control requests if the bridge lacks protections.
The skill relies on a localhost HTTP bridge for powerful browser actions, but the artifacts do not document authentication, origin checks, or caller identity boundaries.
**Endpoint**: `http://127.0.0.1:9876/` ... `POST` | `/` | Execute action(s)
Require an authentication token, randomize or restrict the port, document caller boundaries, and stop the bridge when it is not in use.
Browser-control capability may remain available after the original task is finished.
The bridge is intended to keep running in the background, but no clear stop condition, cleanup command, or lifetime limit is provided.
the script runs the bridge as a **background child process** — the agent does NOT need to manage the process separately
Provide explicit shutdown instructions, limit the bridge lifetime to the active task, and use an isolated Chrome profile for automation.