Skillv1.0.0

ClawScan security

Agent Browser Qw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 14, 2026, 10:21 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match a browser-automation CLI and the requested host prerequisites (node/npm), but there are small metadata inconsistencies and it instructs installing third‑party code and accessing local files/cookies which could be used for data exfiltration — review the upstream package and run in a sandbox before installing.
Guidance: This skill is coherent with its stated purpose but requires installing and running a third‑party CLI that can visit arbitrary sites, read/write local files, manage cookies/storage, and upload files. Before installing: (1) verify the upstream npm package and GitHub repo (confirm maintainer, recent releases, and audit the source); (2) avoid global installs on production machines — prefer a sandboxed environment or container; (3) restrict autonomous use of the skill or require explicit user confirmation for actions that visit internal URLs, upload local files, or access sensitive pages; (4) be cautious about the metadata mismatch (registry owner vs _meta.json ownerId) — ask the publisher for clarification. If you cannot review the upstream code or run in an isolated environment, treat this skill as higher risk.

Review Dimensions

Purpose & Capability: noteThe name and SKILL.md describe a headless browser CLI and the manifest requires node/npm — that is coherent. However the package/source details are ambiguous (no homepage, 'Source: unknown') and the included _meta.json ownerId ('local-qw') does not match the registry owner ID, which is an inconsistency worth verifying.
Instruction Scope: noteSKILL.md instructs the agent to install and run an external CLI (npm install -g agent-browser or build from GitHub) and lists many commands that interact with arbitrary web pages, cookies, localStorage, uploads, screenshots, and recorded video. Those behaviors are expected for a browser automation tool, but they also give the agent the ability to read/write local files and to interact with arbitrary URLs — a potential vector for unintended data access or exfiltration if the upstream CLI or commands are untrusted.
Install Mechanism: noteThe skill is instruction-only (no install spec in manifest), which is lower risk on its own. SKILL.md recommends installing from npm or cloning a GitHub repo (vercel-labs/agent-browser). Installing third-party code via npm/git is normal but carries network-install risk — the manifest does not pin a specific trusted release or homepage, so verify the upstream package/repo before running global installs.
Credentials: okNo environment variables, credentials, or config paths are requested in the manifest, which is proportional. Note: the CLI supports setting HTTP auth, headers, cookies, uploading files and reading local storage via commands — those capabilities can be used to supply or capture secrets at runtime even though they aren't declared as required env vars.
Persistence & Privilege: okThe skill does not request always:true and does not ask to modify other skills or system-wide config. It allows agent invocation (default), which is normal. The main persistence/privilege concern is the ability to install/run a global npm package and read/write files during use — not an elevated platform privilege but a runtime safety consideration.