Stable Browser
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears to do what it says, but it sets up a persistent CDP-controlled Chrome profile that can stay logged into your accounts and be used for broad browser automation.
Install only if you want OpenClaw to have long-lived control of a separate Chrome profile. Use dedicated accounts where possible, avoid logging into highly sensitive services, require confirmation before public or account-changing actions, and remove the LaunchAgent/profile when you no longer need CDP automation.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this profile may be able to act as you on any site where you log in, including posting, submitting forms, or changing account data.
The skill encourages persistent login sessions inside the CDP-controlled browser profile, which can give browser automation access to the user's third-party accounts.
Log into sites once, stays logged in ... First run: Log into any sites you need (Google, GitHub, X, LinkedIn, etc.)
Use a dedicated profile and, where possible, dedicated low-risk accounts. Avoid logging into sensitive accounts unless necessary, and require explicit confirmation before any public, financial, or account-changing action.
Once configured, browser automation can navigate, click, type, and submit through the CDP profile, including on sites where the profile is logged in.
The script exposes Chrome DevTools Protocol control on a local port and configures OpenClaw to use it, enabling broad browser control rather than a narrowly scoped workflow.
--remote-debugging-port=$CDP_PORT ... config.setdefault('browser', {})['cdpUrl'] = 'http://127.0.0.1:$CDP_PORT'Keep the CDP browser separate from everyday browsing, close or disable it when not needed, and enforce explicit approval for posts, purchases, deletions, or other irreversible actions.
Running setup can stop an existing Chrome debug instance and modify your OpenClaw browser configuration.
The setup script performs local process control and configuration writes. These actions are visible and purpose-aligned, but they do change the user's local environment.
pkill -f "remote-debugging-port=$CDP_PORT" ... json.dump(config, f, indent=2)
Review the script before running it, and run it only when you are ready to change the local browser setup.
Chrome CDP may continue running after reboot or login, leaving the automation profile available whenever the user is signed in.
The macOS LaunchAgent is configured to start at login and restart Chrome after crashes. This persistence is disclosed, but it keeps the CDP browser available beyond the setup session.
<key>RunAtLoad</key>\n <true/> ... <key>KeepAlive</key> ... <key>Crashed</key>\n <true/>
If you no longer need the skill, unload and remove the LaunchAgent and consider deleting the dedicated Chrome profile.