Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Windows Browser Ops
v0.1.0Windows Desktop 浏览器远程操控。用于在 Discord / 本地会话中触发 Edge/Chrome 执行“打开网页、交互、截图、打包下载”等动作,并回传证据。
⭐ 0· 45·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The declared purpose (remote control of Edge/Chrome on a Windows Desktop node for navigation, interaction, screenshotting and packaging downloads) is plausible. However the SKILL.md repeatedly references local PowerShell scripts (scripts/*.ps1) that are not included in the skill bundle. The skill also assumes the presence of an approved Desktop node and ability to run tools.exec node=Desktop; the registry metadata does not declare these runtime dependencies or any required config paths. Referencing absent scripts and external runtime assumptions without documenting them is an incoherence.
Instruction Scope
Runtime instructions tell the agent to execute PowerShell on a Desktop node, take full-screen screenshots, poll and zip the user's Downloads folder, change execution policy, and upload artifacts (mentions openclaw message send --channel discord ... --file path). Those actions legitimately fit the stated 'evidence collection' purpose, but they involve high-sensitivity data (screenshots, Downloads, possibly logged browser accounts) and system policy changes. The instructions also give wide discretion (copy scripts to arbitrary local paths, run SendKeys/AutoHotkey, use tscon to avoid lockscreen) which increases risk.
Install Mechanism
There is no install spec (instruction-only), which limits what is written to disk by the skill package itself. That normally reduces risk. However, because the SKILL.md expects external PowerShell scripts and suggests manually copying them to C:\Users\... or running them via WSL/powershell, the actual runtime behavior depends on scripts that are missing from the bundle. This absence prevents a full review of what will execute on the Desktop node and is therefore a notable gap.
Credentials
The skill declares no required environment variables or config paths, yet its instructions require access to: a Desktop node (tools.exec node=Desktop), the user's Downloads folder, the ability to take screenshots and possibly access Edge profile/account state, and the ability to upload files to external channels (Discord is explicitly referenced). The requested capability to change PowerShell execution policy (Set-ExecutionPolicy) and use tscon to manipulate remote sessions are privileged actions. These privileges and sensitive accesses are not represented in the metadata, which is disproportionate.
Persistence & Privilege
always:false and default model invocation are appropriate. The skill does not request to persist or modify other skills. However, because it operates by executing arbitrary PowerShell scripts on a Desktop node, granting it Desktop approval gives it broad runtime reach. That runtime reach is normal for a remote-control/evidence-collection skill but should be treated as high-privilege and limited to trusted nodes.
What to consider before installing
Do not install or run this skill until you confirm the missing pieces and audit them: 1) The SKILL.md references scripts (scripts/*.ps1) that are not included — ask the publisher to provide the exact scripts or include them in the package so you can review them. 2) Understand that the skill will request permission to run PowerShell on a Desktop node, take screenshots, read the Downloads folder, and upload files (Discord mentioned). Those are sensitive actions — only allow on a fully trusted, isolated test machine or VM. 3) Never accept global execution policy changes (Set-ExecutionPolicy) without reviewing the script contents; prefer executing signed scripts or running with the least privileges required. 4) If you must use it, require the publisher to: include all scripts, show full script source, document exactly where uploads go (Discord webhook/channel IDs or other endpoints), and provide a least-privilege mode (read-only, screenshot-only) before enabling download/exfiltration features. 5) If you cannot obtain the scripts for review, treat the skill as unsafe and decline to enable Desktop approval for it.Like a lobster shell, security has layers — review code before you run it.
latestvk977dpseabvrhrj73y59gmnec984d6jg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.