Ghost Browser
MaliciousAudited by ClawScan on May 10, 2026.
Overview
This browser automation skill includes explicit Cloudflare/bot-protection evasion and persistent session handling, which goes beyond ordinary web browsing automation.
Avoid installing this skill for normal AI browsing. Its explicit Cloudflare/anti-bot evasion and persistent login-session handling make it unsafe except in tightly controlled, authorized testing environments. If already used, stop the daemon and delete saved profiles/sessions under its .openclaw state directory.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could be used to evade website bot protections, risking account bans, policy violations, or misuse against third-party services.
The skill combines an undetected browser with a dedicated Cloudflare-solving command, indicating explicit anti-bot or challenge-bypass functionality rather than ordinary browsing.
Launches an undetected Chrome browser using nodriver ... python ghost_browser.py cf-solve [--tab ID] [--all] [--json]
Do not install for normal browsing. Only use in explicit, authorized testing environments, and disable or remove Cloudflare-solving and stealth features.
Pages visited in the automated browser may have their event behavior modified to bypass detection, which is unsafe outside controlled authorization.
The content script deliberately changes MouseEvent and PointerEvent behavior so automated CDP clicks look more realistic to Cloudflare Turnstile checks.
Cloudflare Turnstile checks for this inside its iframe. ... Fix: override the constructors to compute screen coordinates
Remove this extension or restrict it to authorized test domains; do not load it by default.
All sites opened in the automated browser can be affected by the script, including login pages and third-party iframes.
If loaded, the extension executes its content script on every URL and every frame at the earliest page phase, which is broader than a narrowly scoped automation helper.
"matches": ["<all_urls>"], "js": ["content.js"], "run_at": "document_start", "all_frames": true
Limit extension matches to specific authorized domains and require explicit user opt-in before loading it.
Logged-in accounts could remain accessible to future agent tasks or to anyone who can read the saved browser state files.
The skill stores and restores full browser authentication state, but the artifacts do not describe encryption, retention limits, confirmation requirements, or account-scope boundaries.
`session save <name>` | Save cookies + localStorage + sessionStorage ... `session load <name>` | Restore full auth state
Use only disposable or dedicated browser profiles, avoid sensitive accounts, require confirmation before saving/loading sessions, and delete saved sessions after use.
A browser instance or logged-in profile may remain available after the immediate task unless explicitly stopped or cleaned up.
The skill maintains local state, process IDs, and persistent profiles for a browser daemon; this is disclosed, but it persists beyond a single command.
STATE_DIR = Path.home() / ".openclaw" / "workspace" / "SKILLS" / "ghost-browser" / "state" ... PID_FILE = STATE_DIR / "browser.pid" ... PROFILES_DIR = STATE_DIR / "profiles"
Run the stop command after use and periodically remove unused profiles, sessions, and state files.
Future dependency versions could change behavior or introduce vulnerabilities.
The skill depends on an external Python package with only a lower-bound version pin; this is expected for the stated nodriver-based browser automation, but it leaves dependency versions open-ended.
nodriver>=0.38
Pin and review exact dependency versions before installing or running the setup script.