Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
lock-me-in
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is coherent for remote browser logins, but it exposes a login browser through an unauthenticated public link, stores reusable account sessions, and includes under-disclosed stealth automation.
Only install or run this if you intentionally want an agent-controlled browser to help create reusable logged-in sessions. Do not use it for highly sensitive accounts unless you can secure the tunnel, restrict who receives the URL, protect or delete the saved session files, and require explicit approval before future automation uses those sessions.
Static analysis
Env credential access
Critical
- Finding
- Environment variable access combined with network send.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
Anyone who obtains the tunnel URL while it is live could view or control the login browser and potentially cause a session to be saved.
Why it was flagged
The browser-control tool is exposed through a public tunnel and can click, type, navigate, and save sessions while the user is logging in; the artifact explicitly says the tunnel has no authentication by default.
Skill content
Cloudflared creates a temporary public tunnel URL ... No authentication on the tunnel by default ... Web UI Controls ... Click ... Send ... Navigate ... Save
Recommendation
Use only for accounts where this risk is acceptable, share the link through a secure channel, close it immediately after use, and prefer an authenticated or one-time-token tunnel before entering sensitive credentials.
What this means
After a login is saved, future automation may be able to access or act inside the user's accounts as if it were the user.
Why it was flagged
The skill is intended to create reusable authenticated access for the agent across third-party accounts, including high-value services, without clearly limiting future use to specific approved actions.
Skill content
automated browsing needs saved credentials ... the agent needs to access authenticated pages (LinkedIn, job boards, dashboards)
Recommendation
Require explicit user approval before each future use of a saved session, keep sessions separated per site and purpose, and avoid using this with highly sensitive accounts unless strong controls are added.
What this means
Anyone or any automation with access to the session files could potentially reuse the user's authenticated session.
Why it was flagged
The skill persists sensitive browser state for reuse, but the artifacts do not specify retention limits, encryption, cleanup requirements, or approval boundaries for later reuse.
Skill content
Session (cookies + localStorage) saved to disk ... Sessions persist at `/data/home/.browser-sessions/<name>/` ... `storage.json` — Cookies + localStorage
Recommendation
Store sessions with strict file permissions, delete them when no longer needed, consider encryption or an isolated secrets store, and document how users can revoke or remove saved sessions.
What this means
Users may not realize the automation is designed to appear less detectable to websites, which can create account, policy, or trust risks.
Why it was flagged
The code includes browser fingerprint and webdriver-evasion behavior that is not disclosed in the SKILL.md purpose, workflow, or security notes.
Skill content
// Stealth: inject anti-detection scripts after page creation ... Object.defineProperty(navigator, 'webdriver', { get: () => false }) ... console.log('🥷 Stealth evasions loaded')Recommendation
Clearly disclose the stealth behavior, explain why it is needed, and let users opt out or remove it for sites where automation evasion is not appropriate.
What this means
A user could install a changed or tampered binary if the download source or release changes unexpectedly.
Why it was flagged
The setup guidance downloads the latest executable directly and makes it runnable, without pinning a version or showing checksum verification.
Skill content
curl -sL https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 -o /usr/local/bin/cloudflared && chmod +x /usr/local/bin/cloudflared
Recommendation
Install cloudflared from a trusted package manager or pin a specific release and verify its checksum before making it executable.