Skillv1.0.7

ClawScan security

Ghost Browser · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 2, 2026, 7:16 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill appears internally consistent with its stated purpose (an automated Chrome controller using nodriver); the requested binaries, included files, and runtime instructions match a browser automation tool.
Guidance: This skill is coherent for browser automation, but review and accept these trade-offs before installing: it will create a .venv and write state, profiles, sessions, cookies, and logs under ~/.openclaw/.../ghost-browser/state — session files may contain sensitive auth tokens, so avoid saving secrets there. The setup script installs nodriver from PyPI (ensure you trust that package/version). The daemon exposes commands for arbitrary JS eval, download/upload, and network logging; only navigate it to trusted pages and consider running the skill in an isolated environment (container or VM) if you have sensitive data on the host. If you want extra assurance, inspect scripts/ghost_browser.py and extensions content, and run setup.sh manually to review pip install output before use.

Review Dimensions

Purpose & Capability: okName/description, required binaries (python3 + Chrome/Chromium), the nodriver requirement in requirements.txt, the CLI wrapper, Python daemon, and a small extension to patch pointer events all align with an automated Chrome/browser-control skill.
Instruction Scope: noteRuntime instructions direct the agent to run the ghost-browser CLI for navigation, element inspection, form fill, session save/load, page reading, screenshots, file download/upload, and JS eval. Those actions are expected for browser automation, but the skill will read and write persistent state (profiles, sessions, cookies) under the user's home directory (~/.openclaw/.../ghost-browser/state) and exposes an eval command (arbitrary JS execution) and download/upload functionality — capabilities that are powerful and should be used only for trusted pages/tasks.
Install Mechanism: noteNo centralized install spec, but setup.sh creates a local Python venv under the skill directory and installs nodriver from PyPI (requirements.txt). This is a normal install method for Python tools but does pull code from the public package index (pip). There are no suspicious remote downloads or URL shorteners in the provided files.
Credentials: okThe skill does not request external environment variables or unrelated credentials. It stores profiles, session files, and logs under a workspace directory in the user's home — expected for a browser that saves cookies and localStorage, but those stored session artifacts can contain sensitive authentication tokens.
Persistence & Privilege: noteThe skill creates a local virtual environment, an executable CLI wrapper, and persistent state files under the user's home directory. It is not marked always:true and does not modify other skills; persistent state and executable creation are expected for this kind of tool but represent lasting changes on the host.