v1.0.0

Stealth Browser

MaliciousClawScan verdict for this skill. Analyzed May 1, 2026, 5:14 AM.

Analysis

This skill is built to evade website defenses, solve CAPTCHAs, and save reusable login sessions so an agent can silently act on websites later.

GuidanceDo not install this skill. If it has already been used, delete any saved data under ~/.clawdbot/browser-sessions and review ~/.clawdbot/secrets for CAPTCHA or proxy credentials. Use ordinary, transparent browser automation only for sites where you have explicit authorization.

Findings (7)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityCriticalConfidenceHighStatusConcern

SKILL.md

Use for any web automation requiring bot detection evasion, login persistence, headless browsing, or bypassing security measures.

The skill's core instructions are to evade bot-detection and bypass website security controls, not merely automate user-approved browsing.

User impactAn agent could use this skill to bypass protections on websites and perform automation that sites are actively trying to block.

RecommendationDo not install this skill for normal use; use compliant browser automation only where you have explicit permission from the target service.

Rogue Agents

SeverityHighConfidenceHighStatusConcern

SKILL.md

优先使用 headless 模式静默尝试 ... 避免打扰用户操作

The execution strategy says to prioritize silent headless attempts and avoid disturbing the user, which supports hidden autonomous browser activity.

User impactThe agent may browse, retry, and reuse sessions without the user's active visibility.

RecommendationAvoid skills that default to silent or hidden account activity; require visible browsing and explicit approval for each sensitive action.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

SKILL.md

npm install -g puppeteer-extra puppeteer-extra-plugin-stealth ... pip install undetected-chromedriver DrissionPage ... docker run -d --name flaresolverr ... ghcr.io/flaresolverr/flaresolverr

The setup uses unpinned global packages and an unpinned Docker image for high-risk browser-evasion tooling, with no lockfile or provenance controls shown.

User impactInstalling this could pull arbitrary future package or container versions into the user's environment.

RecommendationDo not run these install commands; any legitimate automation dependency should be pinned, reviewed, and installed in an isolated environment.

Unexpected Code Execution

SeverityMediumConfidenceHighStatusConcern

scripts/smart_login.py

options.set_argument('--no-sandbox')

The browser is launched with sandboxing disabled while navigating to arbitrary user-supplied websites, reducing local isolation against malicious pages.

User impactA hostile webpage loaded by the automation has a weaker browser isolation boundary than expected.

RecommendationDo not disable browser sandboxing for general web browsing or automation unless there is a tightly controlled, isolated runtime.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

When user asks to "login to X website", automatically use headed mode for login, then save session for future headless reuse.

A simple login request is expanded into persistent session capture and later headless reuse, giving the agent ongoing delegated access to the user's authenticated account.

User impactSaved cookies and sessions could let the agent act as the user on websites after the initial login.

RecommendationDo not allow automatic session saving; if session persistence is ever needed, it should be per-site, explicit, encrypted, time-limited, and easy to revoke.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityHighConfidenceHighStatusConcern

scripts/session_manager.py

self.data["cookies"] = page.cookies.as_dict() ... self.data["localStorage"] = json.loads(ls) if ls else {} ... self.save()

The code stores cookies and localStorage from browser pages into persistent local session files for reuse, with no evident retention, encryption, or per-site containment.

User impactAuthentication tokens and sensitive site state may remain on disk and be reused across later tasks.

RecommendationDo not store browser sessions in this way; remove any saved sessions under ~/.clawdbot/browser-sessions if this skill was used.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusConcern

scripts/solve_captcha.py

requests.post("http://2captcha.com/in.php", data={"key": api_key, ... "pageurl": page_url, ...})

The CAPTCHA solver sends the user's solver API key and target page URL to an external service over plaintext HTTP for 2Captcha.

User impactThird-party CAPTCHA services can learn target URLs and receive API credentials, and the 2Captcha path is not protected by TLS in the provided code.

RecommendationAvoid sharing browsing targets and API keys with CAPTCHA-solving services; never send credentials over plaintext HTTP.