ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Virtual Desktop Browser

v1.0.0

Launch Chromium in non-headless mode inside Xvfb virtual display (fixed 1200x720x24) and automate with human-like mouse/keyboard/screenshot operations. Use f...

0· 237·2 current·2 all-time
byAllen Niu@nhzallen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (virtual desktop browser to simulate human GUI actions) matches the included code and SKILL.md. The Python code spawns Xvfb and chromium-browser and uses PyAutoGUI/OpenCV for clicks, typing, screenshots and template matching — all expected for the stated purpose.
Instruction Scope
SKILL.md instructs installing system packages (apt-get) and pip dependencies, and the code writes a small state file under ~/.cache/virtual-desktop-browser/state.json. The install/run instructions and runtime operations (starting processes, moving mouse, typing, capturing screenshots) are within scope for GUI automation, but they do require OS-level package installs and will perform arbitrary input actions in the launched browser session (i.e., the agent can type/click any text or interact with pages).
Install Mechanism
No automated install spec is bundled (instruction-only install). SKILL.md recommends apt-get and pip commands — these are common for this functionality but require privileged/system changes and network access to package repositories. No downloads from unfamiliar URLs or extract operations are present in the bundle itself.
Credentials
The skill requests no environment variables, no credentials, and no external configuration paths beyond writing its own state in the user's home cache. That is proportionate to its stated function.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent configuration. It persists minimal state in ~/.cache/virtual-desktop-browser/state.json (display and PIDs) which is reasonable for lifecycle management.
Assessment
This skill is coherent with its stated purpose but has real operational impact: it requires installing OS packages (apt-get) and pip dependencies and will spawn Xvfb and a real Chromium process and then simulate mouse/keyboard input. Before installing/running, consider: 1) install and run inside an isolated environment (container or dedicated VM) so simulated input and browser sessions cannot interact with sensitive local apps; 2) be aware the agent can type/click arbitrarily in that virtual browser—do not pass secrets or session tokens into pages the skill will visit; 3) confirm you are comfortable running apt-get/pip on the host; 4) you may want to review or sandbox the skill code (skill.py) and the templates/images you supply for matching. If you need higher assurance, test in a disposable VM first.

Like a lobster shell, security has layers — review code before you run it.

automationvk97465r52rc73rd64zyx9kmdd582x9z8browservk97465r52rc73rd64zyx9kmdd582x9z8chromiumvk97465r52rc73rd64zyx9kmdd582x9z8latestvk97465r52rc73rd64zyx9kmdd582x9z8pyautoguivk97465r52rc73rd64zyx9kmdd582x9z8twittervk97465r52rc73rd64zyx9kmdd582x9z8xiaohongshuvk97465r52rc73rd64zyx9kmdd582x9z8xvfbvk97465r52rc73rd64zyx9kmdd582x9z8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments