Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
UI-Agent
v1.0.0Universal UI automation for browsers and desktops. Chrome DevTools Protocol + native APIs. 15/15 verified tests.
⭐ 0· 71·0 current·0 all-time
byNima Ansari@nimaansari
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (UI automation via CDP + native APIs) matches the code and tests: the repo contains a CDP wrapper, VirtualBox-safe Chrome launcher, AT-SPI2/X11 helpers, and verification utilities. However, registry metadata claims no required binaries or environment setup while the code and docs clearly expect Chrome/Chromium, Xvfb (or a display), xdotool/ydotool, screenshot tools, etc. That mismatch (metadata says 'none' while the implementation requires many system-level tools) is unexpected and should be resolved before trusting the skill.
Instruction Scope
The SKILL.md and docs explicitly instruct the agent to launch and reuse Chrome, send CDP commands, take screenshots, run shell commands, kill/relaunch Chrome, write/read files under /tmp, and call subprocess tools (pgrep, xdotool, xclip). Those actions are within the stated purpose (UI automation), but they are powerful: the skill can execute arbitrary shell commands via its shell() helper and manipulate other processes. The SKILL.md documents this capability (e.g., agent.shell, desktop_helpers.shell), so it's not hidden — but it does grant broad system access which users should treat as high-impact.
Install Mechanism
There is no install spec (instruction-only), which reduces supply-chain risk, but the repo and docs require system-level packages (Chrome, Xvfb, xdotool, scrot/gnome-screenshot, ydotool, etc.). The skill does not declare these required system binaries in the registry metadata. If you install/run the skill as-is it may fail or behave unpredictably on systems that lack those tools; conversely, an environment with those tools gives the skill extensive ability to control the host. No remote download or archive installs were observed in the manifest.
Credentials
The skill does not request any environment variables, credentials, or secret tokens in its metadata (primaryEnv: none), which is appropriate. It does, however, manipulate browser cookies (saves/restores document.cookie), write files under /tmp, and communicate with external sites (e.g., httpbin.org) as part of tests. Those behaviors are coherent for a UI automation tool but mean the skill can capture and restore session material (cookies) — a legitimate feature for automation but also something to be mindful of if you have sensitive sessions on the host.
Persistence & Privilege
The skill is not always-enabled (always:false) and does not request elevated platform privileges in the manifest. Autonomy (disable-model-invocation:false) is the platform default. The skill's code can launch and kill browsers and run shell commands, but it does not appear to modify other skills or system-wide OpenClaw configuration. Still, combining autonomous invocation with the ability to execute shell commands and manage processes increases the potential blast radius if the skill is given unsupervised authority.
What to consider before installing
This skill contains real code for browser (CDP) and desktop automation and will try to launch Chrome, Xvfb/GUI tools, and run system utilities (xdotool, pgrep, scrot/gnome-screenshot, etc.). Before installing or enabling it: 1) Only install from a trusted source — the manifest’s source/homepage are absent and the repo links in docs are placeholders. 2) Expect to need system packages (Chrome/Chromium, display server/Xvfb or Wayland tools, xdotool/ydotool, screenshot tools); validate and control those dependencies in an isolated environment (VM/container). 3) Review the src/ files (chrome_session_vbox_fixed.py, desktop_helpers.py, cdp_typer.py) to ensure you’re comfortable with the skill’s ability to run shell commands, kill/relaunch processes, and read/write files (it writes cookies and screenshots to /tmp). 4) Don’t grant this skill access to machines with sensitive active sessions unless you trust it — its cookie read/restore behavior can persist web sessions. 5) Run the skill initially in a sandboxed VM with minimal privileges and inspect test outputs before letting it run autonomously.Like a lobster shell, security has layers — review code before you run it.
latestvk9795fsd2em9v7f1kjvxwj2teh83m3c5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.