Skillv1.0.3

ClawScan security

Ubuntu Browser Session · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 20, 2026, 6:11 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's scripts, instructions, and storage behavior are internally consistent with its stated purpose of providing a durable Ubuntu-host browser session and bounded manual takeover.
Guidance: This skill appears to do what it says: managing and reusing a local Ubuntu host browser session and offering a bounded manual noVNC takeover. Before installing or giving it runtime access, consider the following: - Persistent session data: it stores profiles and manifests under ~/.agent-browser. If that directory already contains logged-in browser sessions (GitHub, Google, etc.), the skill will reuse them automatically—review or isolate those profiles if you don't want automated agent access to those accounts. - noVNC exposure: the scripts can expose noVNC URLs and have an explicit LAN mode (0.0.0.0). If you enable LAN access, anyone who can reach the host and the port may view/control the browser. Prefer the loopback URL + SSH port-forwarding, and ensure firewall rules prevent unwanted LAN exposure. - Sensitive page content: CDP snapshot/eval tools read structured page content (DOM, links, text). Treat the skill as having full read access to any page loaded in the browser (including possibly secrets visible in the DOM). Use dedicated test accounts or an isolated VM if handling sensitive logins. - Audit and harden: inspect ~/.agent-browser after use, consider running the skill in a disposable VM/container, and ensure only trusted agents are allowed to invoke it autonomously. If you want stricter behavior, modify the scripts to refuse LAN binding, require explicit user confirmation before reusing a stored session, or store profiles in a device-encrypted location. Overall, the skill is coherent with its purpose but carries expected privacy/availability risks (persistent local sessions and optional LAN VNC exposure) that you should manage before enabling it in a production environment.

Review Dimensions

Purpose & Capability: okThe name/description (durable host browser sessions, one-per-site identity model, bounded manual takeover) matches the included scripts and helpers: session registry, profile resolution, browser runtime, noVNC-assisted takeover, and CDP-based page inspection. There are no unexpected cloud APIs or unrelated credentials requested.
Instruction Scope: noteRuntime instructions operate on local browser profiles (~/.agent-browser), start Xvfb/x11vnc/websockify and a browser, use CDP to inspect and snapshot pages, and provide loopback and LAN noVNC URLs for manual login. This is coherent with purpose, but it explicitly supports exposing noVNC on LAN (0.0.0.0) and persists captured session state and profiles on disk—both of which can leak sensitive page contents or active logins if network or filesystem access is not tightly controlled.
Install Mechanism: okThere is no install spec or remote download; the skill is provided as scripts bundled with the skill. It relies on system-installed binaries (Xvfb, x11vnc, websockify, Chrome/Chromium, curl, jq, python3) as documented in SKILL.md. No external code fetching or archive extraction is present.
Credentials: okNo environment variables or external credentials are required. The scripts read/write files under the user's home (~/.agent-browser) and rely on local binaries—these are necessary for the stated goal of durable local browser sessions.
Persistence & Privilege: noteThe skill persists profiles, manifests, and a site-session registry under ~/.agent-browser and will reuse logged-in sessions automatically per its rules. It does not declare always:true. However, because it can be invoked autonomously by agents and can access stored browser sessions, it effectively grants the agent ongoing access to any accounts already stored in those profiles unless the host or user restricts it.