ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Open Chrome Tabs

v1.1.1

Read currently open browser tabs from Chrome or other Chromium browsers (Arc, Brave, Edge, etc.). Use when you need to know what URLs the user has open, or w...

0· 674·1 current·1 all-time
byRoger Barnes@mindsocket
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description (listing currently open Chrome/Chromium tabs, including synced devices) align with the instructions: the SKILL.md shows exactly how to read Chrome user-data, session files, or sync LevelDB to enumerate tabs.
Instruction Scope
Instructions are limited to installing/running @mindsocket/chrome-open-tabs and reading browser User Data directories, session files, or Chrome sync LevelDB. These file accesses are expected for the declared purpose, but they do involve reading potentially sensitive browsing history and synced-device data.
Install Mechanism
No install spec in registry, but SKILL.md tells the agent to run `npm install -g` or `npx @mindsocket/chrome-open-tabs`. Running an npm package via npx is a moderate-risk install mechanism because it executes third-party code fetched from the npm registry; users should verify the package source before running.
Credentials
The skill declares no environment variables, credentials, or unrelated config paths. The accesses requested in the instructions (browser user-data and session/sync files) are proportionate to the stated function of enumerating open tabs, though they expose sensitive personal data.
Persistence & Privilege
The skill does not request persistent presence (always: false) nor system-wide changes. It does not attempt to modify other skills or agent configs in the provided instructions.
Assessment
This skill appears internally consistent: it needs to read browser profile files to list tabs and instructs you to run an npm package that does that work. Before installing or running it, verify the npm package's source (review its GitHub repo, publisher identity, and recent releases), consider running it in a sandbox or limited environment, and be aware it will access potentially sensitive URLs (including synced devices). If you don't trust the package or cannot review its code, avoid running `npx`/global install. Also ensure your browser is closed when using the sync-device mode as the tool requires.

Like a lobster shell, security has layers — review code before you run it.

latestvk97077twhja859jc2ws83qevf181nqjg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments