Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Chrome Mcp
v0.1.0通过 Chrome DevTools MCP 控制本机 Chrome 浏览器(已登录的真实会话)。 适用场景: - 浏览、阅读任意网页内容 - 操作 X (Twitter):浏览 feed、发推文、转帖、点赞、删帖 - 操作任何需要登录的网站(保留已有登录状态) - 截图、读取页面结构、执行 JS - "帮我看看...
⭐ 1· 725·0 current·0 all-time
by@lumint
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description align with the runtime instructions: the SKILL.md describes connecting to Chrome DevTools MCP and controlling a running, logged-in Chrome session. There are no unrelated required env vars, binaries, or installs.
Instruction Scope
The instructions explicitly direct the agent to read page structures (accessibility tree), take screenshots, execute arbitrary JavaScript (chrome__evaluate), and perform UI actions on any logged-in site (including X/Twitter). While this is consistent with the stated purpose, it grants the agent full access to the contents of any open, authenticated site (potentially including banking, email, etc.) and the ability to run JS inside pages — both capabilities can be used to exfiltrate sensitive data or perform unintended actions. The SKILL.md gives broad discretion (e.g., '操作任何需要登录的网站'), which increases risk.
Install Mechanism
Instruction-only skill with no install spec and no code files. This minimizes filesystem/install risk — nothing is downloaded or written by an installer as part of the skill bundle.
Credentials
The skill requests no environment variables, credentials, or config paths. The only external requirement is that Chrome be started with remote debugging enabled; that requirement is coherent with the stated functionality but has security implications (exposes a DevTools debugging endpoint).
Persistence & Privilege
always:false (not force-included), but model invocation is allowed (default). Combined with the skill's ability to access and control a logged-in browser and execute arbitrary JS, autonomous invocation increases blast radius. The skill does not request persistent system changes itself, but its runtime privileges (remote DevTools access to logged-in sessions) are powerful.
Assessment
This skill appears internally consistent with its purpose, but it gives the agent potent access to your real browser sessions and lets it execute JavaScript inside pages. Before installing or using it, consider:
- Only enable if you fully trust the skill and the agent that will invoke it. Treat trust carefully because the agent can read and act in any logged-in site.
- Enable Chrome remote debugging only for a short period and only on a dedicated browser profile (create a separate Chrome profile with no sensitive logins).
- Prefer manual, user-invoked use over autonomous invocation. If possible, disable autonomous invocation or require explicit user approval for every action.
- Avoid using this skill while logged into sensitive accounts (banking, primary email, corporate SSO).
- Limit actions to read-only where possible and avoid granting it permission to post or delete on social accounts unless you trust it.
- Monitor network activity and running devtools ports; close the remote-debugging port when done.
If you want a lower-risk setup, run Chrome in a disposable profile or a VM/container and keep all sensitive accounts out of that profile. If you need more assurance, request additional details from the skill author (how the chrome__* tools are provided/secured, whether there are safeguards to limit origins/actions, and why autonomous invocation is necessary).Like a lobster shell, security has layers — review code before you run it.
latestvk9785brmm3tcdwqz3ynxbh37d182ya8j
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🌐 Clawdis