Skillv0.1.0

ClawScan security

Chrome Mcp · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 15, 2026, 12:57 PM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match its stated purpose (controlling a local, already-logged-in Chrome via DevTools), but they grant broad access to whatever pages and sessions are open and allow arbitrary JS execution — this is coherent but carries significant privacy and security risk.
Guidance: This skill appears internally consistent with its purpose, but it gives the agent potent access to your real browser sessions and lets it execute JavaScript inside pages. Before installing or using it, consider: - Only enable if you fully trust the skill and the agent that will invoke it. Treat trust carefully because the agent can read and act in any logged-in site. - Enable Chrome remote debugging only for a short period and only on a dedicated browser profile (create a separate Chrome profile with no sensitive logins). - Prefer manual, user-invoked use over autonomous invocation. If possible, disable autonomous invocation or require explicit user approval for every action. - Avoid using this skill while logged into sensitive accounts (banking, primary email, corporate SSO). - Limit actions to read-only where possible and avoid granting it permission to post or delete on social accounts unless you trust it. - Monitor network activity and running devtools ports; close the remote-debugging port when done. If you want a lower-risk setup, run Chrome in a disposable profile or a VM/container and keep all sensitive accounts out of that profile. If you need more assurance, request additional details from the skill author (how the chrome__* tools are provided/secured, whether there are safeguards to limit origins/actions, and why autonomous invocation is necessary).

Review Dimensions

Purpose & Capability: okName/description align with the runtime instructions: the SKILL.md describes connecting to Chrome DevTools MCP and controlling a running, logged-in Chrome session. There are no unrelated required env vars, binaries, or installs.
Instruction Scope: concernThe instructions explicitly direct the agent to read page structures (accessibility tree), take screenshots, execute arbitrary JavaScript (chrome__evaluate), and perform UI actions on any logged-in site (including X/Twitter). While this is consistent with the stated purpose, it grants the agent full access to the contents of any open, authenticated site (potentially including banking, email, etc.) and the ability to run JS inside pages — both capabilities can be used to exfiltrate sensitive data or perform unintended actions. The SKILL.md gives broad discretion (e.g., '操作任何需要登录的网站'), which increases risk.
Install Mechanism: okInstruction-only skill with no install spec and no code files. This minimizes filesystem/install risk — nothing is downloaded or written by an installer as part of the skill bundle.
Credentials: okThe skill requests no environment variables, credentials, or config paths. The only external requirement is that Chrome be started with remote debugging enabled; that requirement is coherent with the stated functionality but has security implications (exposes a DevTools debugging endpoint).
Persistence & Privilege: concernalways:false (not force-included), but model invocation is allowed (default). Combined with the skill's ability to access and control a logged-in browser and execute arbitrary JS, autonomous invocation increases blast radius. The skill does not request persistent system changes itself, but its runtime privileges (remote DevTools access to logged-in sessions) are powerful.