ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Chrome CDP for OpenClaw

v1.0.0

Browser automation CLI for AI agents using Google Chrome via CDP. Connects to a running Chrome instance started by chrome_for_openclaw.sh inside an XRDP sess...

0· 22·0 current·0 all-time
by@joustonhuang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchasesRequires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description match the instructions: the skill uses agent-browser to connect to a real Chrome instance via CDP to reuse existing login sessions. However the registry metadata lists no required binaries/envs while SKILL.md and its internal metadata explicitly require the agent-browser command and mention many runtime environment variables (AGENT_BROWSER_CDP_URL, AGENT_BROWSER_PROFILE, AGENT_BROWSER_ENCRYPTION_KEY, HTTP(S)_PROXY, etc.). That inconsistency is a minor coherence issue but not necessarily malicious.
!
Instruction Scope
The runtime instructions tell the agent (or user) to fetch and execute a remote script (bash <(curl -fsSL https://raw.githubusercontent.com/.../chrome_for_openclaw.sh)), to run it with sudo (--install), to kill existing Chrome processes, and to start Chrome with --remote-debugging-port exposing full browser control on localhost. Those steps are directly related to the skill's purpose but they also grant the skill (and any local process that can reach localhost:9222) access to all cookies, storage, and the ability to execute JS in pages — a high-privilege action. The docs also suggest saving/restoring session state in plaintext files (auth.json) and encourage using env vars for credentials, which is sensitive and must be carefully handled.
!
Install Mechanism
There is no formal install spec in the registry; instead SKILL.md instructs executing a remote install script via curl|bash from raw.githubusercontent.com and installing agent-browser globally via npm -g. Running an arbitrary script fetched from a GitHub raw URL as root is a meaningful risk (it modifies system XRDP/XFCE configuration and Chrome behavior). While GitHub raw content is a common host, executing it directly with sudo is high-risk and should be reviewed manually before running.
Credentials
The skill declares no required environment variables in the registry but the instructions reference and recommend many env vars (DEBUG_PORT, START_URL, AGENT_BROWSER_CDP_URL, AGENT_BROWSER_PROFILE, AGENT_BROWSER_ENCRYPTION_KEY, HTTP_PROXY/HTTPS_PROXY/NO_PROXY, etc.). These are relevant to the declared functionality (connecting to CDP, profiles, proxies), but they are sensitive (especially AGENT_BROWSER_ENCRYPTION_KEY and proxy credentials). The guidance to save state files (which contain session tokens in plaintext) increases the risk if handled carelessly.
!
Persistence & Privilege
The skill does not request 'always: true', but the one-time install step requires sudo and modifies system components (installs Chrome if missing, configures XRDP + XFCE, and changes how Chrome is launched). It also suggests global npm -g install. These actions create persistent system changes and elevated privilege usage which are more intrusive than a lightweight instruction-only skill and should be performed only after manual review or within an isolated VM.
What to consider before installing
This skill appears to do what it says (control a real Chrome via the DevTools protocol), but it asks you to run a remote installer as root and to expose Chrome's remote debugging port, which gives any local process full access to your browser sessions (cookies, localStorage, ability to execute JS). Before installing or running anything: 1) Review the entire install script (https://raw.githubusercontent.com/joustonhuang/chrome_for_openclaw/main/chrome_for_openclaw.sh) line-by-line — do not run curl|bash without inspection. 2) Prefer running the installer in an isolated VM or throwaway container, not on your primary machine. 3) Understand that connecting to localhost:9222 allows reading and controlling logged-in sessions; only use on trusted hosts and close Chrome when done. 4) Avoid saving session state files in source control, and use AGENT_BROWSER_ENCRYPTION_KEY if you must persist state. 5) If you need least privilege, consider alternatives that use ephemeral profiles or cloud browser providers rather than reusing your personal Chrome profile. If you want help auditing the install script or extracting specific risky commands to review, provide the script and I can analyze it line-by-line.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fgm5aevw437hqzw066xtj5h84rmaq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌐 Clawdis

Comments