ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agent Browser Qw

v1.0.0

A fast Rust-based headless browser automation CLI with Node.js fallback that enables AI agents to navigate, click, type, and snapshot pages via structured co...

0· 202·1 current·1 all-time
bySHANGWENQIANG@johnnyeisen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and SKILL.md describe a headless browser CLI and the manifest requires node/npm — that is coherent. However the package/source details are ambiguous (no homepage, 'Source: unknown') and the included _meta.json ownerId ('local-qw') does not match the registry owner ID, which is an inconsistency worth verifying.
Instruction Scope
SKILL.md instructs the agent to install and run an external CLI (npm install -g agent-browser or build from GitHub) and lists many commands that interact with arbitrary web pages, cookies, localStorage, uploads, screenshots, and recorded video. Those behaviors are expected for a browser automation tool, but they also give the agent the ability to read/write local files and to interact with arbitrary URLs — a potential vector for unintended data access or exfiltration if the upstream CLI or commands are untrusted.
Install Mechanism
The skill is instruction-only (no install spec in manifest), which is lower risk on its own. SKILL.md recommends installing from npm or cloning a GitHub repo (vercel-labs/agent-browser). Installing third-party code via npm/git is normal but carries network-install risk — the manifest does not pin a specific trusted release or homepage, so verify the upstream package/repo before running global installs.
Credentials
No environment variables, credentials, or config paths are requested in the manifest, which is proportional. Note: the CLI supports setting HTTP auth, headers, cookies, uploading files and reading local storage via commands — those capabilities can be used to supply or capture secrets at runtime even though they aren't declared as required env vars.
Persistence & Privilege
The skill does not request always:true and does not ask to modify other skills or system-wide config. It allows agent invocation (default), which is normal. The main persistence/privilege concern is the ability to install/run a global npm package and read/write files during use — not an elevated platform privilege but a runtime safety consideration.
What to consider before installing
This skill is coherent with its stated purpose but requires installing and running a third‑party CLI that can visit arbitrary sites, read/write local files, manage cookies/storage, and upload files. Before installing: (1) verify the upstream npm package and GitHub repo (confirm maintainer, recent releases, and audit the source); (2) avoid global installs on production machines — prefer a sandboxed environment or container; (3) restrict autonomous use of the skill or require explicit user confirmation for actions that visit internal URLs, upload local files, or access sensitive pages; (4) be cautious about the metadata mismatch (registry owner vs _meta.json ownerId) — ask the publisher for clarification. If you cannot review the upstream code or run in an isolated environment, treat this skill as higher risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk979r09hrbjxptdp3gee9pe2jn82w8ec

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌐 Clawdis
Binsnode, npm

Comments