ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

google-search-wsl

v1.0.0

Perform Google searches and retrieve web or news results via Chrome browser running in WSL using remote debugging with OpenClaw tool.

1· 91·0 current·0 all-time
by@jesson-hh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The script and SKILL.md match the description: they start a Chrome/Chromium instance in WSL with remote-debugging enabled so the OpenClaw browser tool can drive searches. The script's WSL checks, data-dir usage, and Chrome flags are appropriate for that purpose.
Instruction Scope
SKILL.md tells the agent/user to run a script at ~/.openclaw/scripts/google-search-chrome.sh, but the packaged file is scripts/google-search-chrome.sh with no install step—there's a minor mismatch about where the script should live. The instructions direct starting Chrome with remote-debugging on localhost (9222) and using the browser tool; they do not instruct reading or exfiltrating unrelated files. The guidance about using HTTP_PROXY and DISPLAY is operational (not exfiltration) but SKILL.md mentions some env vars (HTTP_PROXY) while the script actually uses GOOGLE_SEARCH_* variables that are not declared in metadata.
Install Mechanism
There is no install spec (instruction-only with a packaged script). That is low-risk from an install perspective because nothing is being downloaded or automatically written to disk by an installer; the script will only run if the user invokes it.
Credentials
No credentials or sensitive environment variables are requested. The script does create and use a user-data-dir under $HOME/.openclaw/chrome-debug-profile and reads optional env vars (GOOGLE_SEARCH_CHROME_PORT, GOOGLE_SEARCH_CHROME_DATA, GOOGLE_SEARCH_CHROME_TIMEOUT, GOOGLE_SEARCH_DISABLE_GPU, GOOGLE_SEARCH_LANG) which are not declared in the skill metadata. This is reasonable for a browser-launch helper but should be noted because it stores browser profile data locally.
Persistence & Privilege
The skill is not always-enabled and makes no platform-wide configuration changes. It writes only to a per-user data directory and spawns a local Chrome process; it does not request elevated system privileges.
Assessment
This skill appears to do what it says: launch Chrome in WSL with remote debugging so the OpenClaw browser tool can control it. Before using it: (1) review and decide where the startup script should live (SKILL.md expects ~/.openclaw/scripts but the bundle contains scripts/google-search-chrome.sh); (2) be aware it opens a local Chromium remote-debugging port (default 9222) and writes a browser profile under $HOME/.openclaw/chrome-debug-profile — avoid exposing that port to untrusted networks and inspect the profile directory if you care about privacy; (3) the script accepts optional GOOGLE_SEARCH_* env vars (not declared in metadata) — set them if you need to change port, data dir, timeout, language, or GPU behavior; (4) only run this on machines you control and trust, since the browser tool will be able to load pages and access session data in that profile; and (5) if you need stronger assurance, run the script manually and inspect its output before allowing any automated agent to invoke the browser tool.

Like a lobster shell, security has layers — review code before you run it.

latestvk977k9amsq8c7d5db49x16dcxd83a37c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments