Skillv1.0.0

ClawScan security

Ask Gemini/ChatGPT · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 7, 2026, 2:27 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are consistent with its stated purpose (controlling a local Chrome instance via Playwright to query Gemini/ChatGPT); it does not request unrelated credentials or perform obvious off‑site exfiltration, but it will control your browser profile and return chatbot responses verbatim so review and caution are warranted.
Guidance: This skill appears to do what it says: it runs local Python scripts that control your Chrome (via remote debugging) to send queries to Gemini or ChatGPT and return the responses verbatim. Before installing or running it: 1) Review the included scripts (they are bundled so you can inspect them) to confirm no unexpected network calls or behavior; 2) Be aware the skill uses a Chrome profile directory (cookies/sessions) — consider using a dedicated profile or logging out of accounts you don't want accessible; 3) Expect to pip install Playwright from PyPI (Playwright may also fetch browser tooling); 4) Understand that responses are returned exactly as the chatbot outputs (including any links or potentially sensitive content); 5) Only run this on machines you trust; if you want stronger isolation, run Chrome in a dedicated user account, container, or VM and review the full script contents (particularly the truncated parts) before use.

Review Dimensions

Purpose & Capability: okName/description match the implementation: Python + Playwright scripts connect to a local Chrome CDP, navigate to gemini.google.com or chatgpt.com, send the user query, and extract the response and citations. Required binary (python3) and no env vars align with this purpose. Using the user's Chrome session (via a user-data-dir) is expected to preserve login state.
Instruction Scope: noteSKILL.md instructs the agent to run the included Python scripts and start_chrome.sh, connect to a local Chrome CDP, and return the script output verbatim. That is within scope, but returning responses verbatim can leak sensitive content from the chat (and any links/citations the chatbot emits). The instructions do not ask the agent to read arbitrary host files or unrelated env vars.
Install Mechanism: okThere is no external/obscure download URL in the skill. The only install activity is creating a virtualenv and pip installing requirements.txt (playwright>=1.40.0) which is normal for Python projects. Note: pip/Playwright will fetch packages from PyPI (and Playwright may download browser tooling if used), so standard package-supply risks apply but nothing unusual in this repo.
Credentials: noteNo environment variables or external credentials are requested. The skill uses a Chrome user-data-dir (~/.openclaw/workspace/chrome_profile) and requires you to be logged into Google/OpenAI in that browser. Access to your browser profile (cookies, sessions) is necessary for the functionality but is a sensitive capability — the scripts can control the browser and interact with pages in that profile.
Persistence & Privilege: okThe skill is not always-enabled and does not request platform-wide privileges. It creates/uses a dedicated user-data-dir for Chrome and includes a start script that launches Chrome under that profile. It does not modify other skills or global agent configs.