ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Oto Sessions

v1.0.1

Manage authenticated browser sessions for any website with Oto, enabling saving, listing, deleting, and automating multiple accounts without re-authenticating.

0· 41·0 current·0 all-time
byMurat Bahar@mbahar
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description claim session management; included scripts and docs all call into an Oto session-manager (~/oto/lib/session-manager). Requiring Node.js and Playwright and cloning the Oto repo is coherent with that purpose.
Instruction Scope
SKILL.md and scripts only instruct browser-based login, listing, deleting, launching, and checking local session files. They reference ~/oto or OTO_PATH and do not attempt to read unrelated system files or external endpoints beyond the Oto GitHub. The skill will run browsers and read/write session JSON files locally (expected).
Install Mechanism
There is no platform-level install spec; SKILL.md tells users to git clone https://github.com/mbahar/oto.git and run npm install. Using GitHub and npm is normal, but npm install will fetch Playwright and other dependencies — you should review the Oto repository and its dependency tree before running npm install.
Credentials
The skill itself declares no required env vars or credentials. It uses an optional OTO_PATH to locate the Oto framework (documented). No unrelated secrets or cloud credentials are requested by the skill.
Persistence & Privilege
always is false and the skill does not claim elevated or persistent platform privileges. It installs by copy into ~/.openclaw/skills/ and does not modify other skills or system-wide configs.
Assessment
This skill is coherent: it wraps an external Oto framework to manage local browser sessions and includes small CLI wrappers that call into that framework. Before installing, review and trust the referenced Oto repository (https://github.com/mbahar/oto) and its package.json/dependencies because npm install will download Playwright and other packages that run native code. Confirm session files will be stored locally and protected (SKILL.md claims chmod 600 and local-only storage). If you share a machine, be aware that a running browser session can access any accounts you have logged into in that browser. If you need higher assurance, inspect ~/oto/lib/session-manager and the npm dependency tree (npm audit) before use.
scripts/launch-session.js:13
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk976mwtab7fahmq10ch1mjz73984qhwv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments