Skillv1.0.0

ClawScan security

Autoglm Browser Agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 14, 2026, 8:06 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's pieces mostly match a browser-automation agent, but several runtime instructions (background relay, required extension, forced screenshots, session reuse, and optional auto-posting to Feishu) create meaningful data-exfiltration and account-action risks that are not fully mitigated or explained.
Guidance: This skill behaves like a local browser robot: it installs an npm helper (mcporter), asks you to install a Chrome extension, runs a local relay/mcp_server binary, and persistently stores session/config files in your home directory. Before installing: (1) Only install if you trust the mcporter npm package and the source of the mcp_server/relay binaries — inspect their code/binaries where possible. (2) Review the Chrome extension listing and permissions in the store. (3) Be cautious enabling auto_approve — keep it off unless you fully trust the agent and the accounts it will control. (4) Expect screenshots and page interactions to be captured and (optionally) posted to Feishu if you supply feishu IDs; avoid providing those unless necessary. (5) Prefer testing on throwaway accounts or in a sandboxed browser profile with no sensitive logins. (6) If you need higher assurance, request the mcp_server/relay source or a provenance statement and audit the binaries and the mcporter package before use.

Review Dimensions

Purpose & Capability: noteThe name/description and required binary (mcporter) align with a browser automation subagent that drives a browser extension and local MCP server. Requiring a Chromium extension and a local relay/mcp_server is coherent for this purpose. However, the skill expects external artifacts (binaries under {baseDir}/dist) that are not included in the package, which places extra trust on external files/users to supply untrusted executables.
Instruction Scope: concernSKILL.md instructs starting a background relay and always returning screenshots in replies. It mandates reading/writing local session and pending-result files (~/.openclaw-autoclaw/*) and can optionally post screenshots to Feishu via provided message/chat IDs. Those instructions can capture sensitive page content (including credentials, private messages, 2FA screenshots, etc.) and transmit or persist it. The auto_approve flow allows automatically performing sensitive actions (likes, posts, messages) once enabled. These behaviors are within browser-automation scope but substantially increase risk of unwanted account actions or data leakage.
Install Mechanism: noteInstall uses npm to install the mcporter package (moderate trust). The INSTALL.md also asks the user to install a Chrome extension from the Chrome Web Store (expected) and to register a local mcp_server binary under {baseDir}/dist. There are no obscure download URLs in the documented install steps, but the process requires the user to supply or place native binaries (mcp_server/relay) — those binaries should be audited before use.
Credentials: concernThe skill does not request API keys or env vars, which is appropriate. But it requires access to the user's browser via an extension and to local files under the home directory (~/.openclaw-autoclaw). Because it drives the user's logged-in browser sessions, it can act on behalf of any logged-in accounts and capture session data/screenshots. The optional Feishu integration means data could be pushed to an external service if used. These capabilities are powerful relative to the declared requirements and should be treated as sensitive.
Persistence & Privilege: notealways:false and user-invocable are appropriate. The skill persists configuration and session state in ~/.openclaw-autoclaw and runs a background relay daemon; this gives it ongoing local presence (background process + files) but does not modify other skills or system-wide settings. The persistent background relay increases the blast radius (maintains a long-lived channel to the extension) and is worth inspecting before trusting.