realtime-interact-overlay
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a plausible interaction-overlay skill, but it explicitly supports collecting payment/password inputs and injects unsanitized browser modal content, so it needs careful review before use.
This skill appears intended to improve confirmation/input UX, not to exfiltrate data. However, avoid using it for passwords, payment PINs, one-time codes, or other secrets, and be cautious with browser overlays until message rendering is sanitized and the credential-handling boundaries are made explicit.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could be prompted to type a payment password or similar secret into an agent-controlled overlay, giving the agent enough authority to complete sensitive account actions.
The skill explicitly proposes routing payment/password input through the agent and then having the AI perform the payment, but the artifacts do not bound what secrets may be requested, how they are protected, or how they are prevented from being retained or misused.
购物付款时需要输入密码 ... → 用户输入密码 → AI执行支付
Do not use this skill for payment passwords, account passwords, one-time codes, or other secrets unless the design is changed so secrets stay in the official provider UI, are masked, are not returned to the agent, and are clearly declared.
If the modal displays untrusted content, it could run unexpected JavaScript inside the current website, potentially affecting the page session or causing unintended actions.
The browser modal inserts message content into the active page using innerHTML after only limited string escaping, so untrusted message text containing HTML or event handlers could execute in the page context.
modal.querySelector('#openclaw-modal-content').innerHTML = '{message_js}'.replace(/\\n/g, '<br>');Use textContent for normal messages, sanitize any allowed HTML with a strict sanitizer, and reserve custom HTML injection only for clearly trusted, user-approved content.
The skill can cause local system dialogs to appear and collect confirmations or inputs.
The skill runs AppleScript locally to display macOS dialogs. This is purpose-aligned and avoids shell=True, but it is still local script execution that users should understand.
process = subprocess.Popen(['osascript', '-e', script], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, env={})Use it only for prompts you expect, and verify the dialog title/message before approving important actions.
Some documented functionality may not work as expected, and users may not have a complete picture of the intended browser-injection path.
The documentation references scripts/inject_modal.js, but that file is not present in the provided manifest. This looks like an incomplete implementation rather than active malicious behavior.
// 通过 JavaScript 注入创建浮窗 // 见 scripts/inject_modal.js
Publish the referenced helper or remove the reference, and declare the actual runtime dependencies such as Python, osascript, and macOS-specific behavior.