v1.0.0

UI-Agent

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:22 AM.

Analysis

This skill is a powerful browser and desktop automation framework with shell and browser-session access, so it should be reviewed carefully before installation.

GuidanceInstall only if you intentionally want a high-privilege RPA-style tool. Use a separate browser profile, avoid sensitive logged-in accounts, require confirmation before form submissions, emails, file changes, or shell commands, and verify the source repository and dependencies before running it.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

`ctrl._send(method, params)` ... Common commands: `Page.navigate`, `Runtime.evaluate`, `Input.insertText`, `Storage.getCookies`; `ctrl.js(code)` — Execute JavaScript in page context

The skill exposes low-level browser-control and arbitrary JavaScript execution primitives rather than a narrow set of safe, task-specific actions.

User impactAn agent using this skill could navigate logged-in websites, fill or submit forms, click destructive UI controls, read page data, or change web application state.

RecommendationUse only with explicit per-task approval, restrict it to intended domains and apps, and avoid using it in sensitive logged-in sessions unless that access is intended.

Unexpected Code Execution

SeverityHighConfidenceHighStatusConcern

docs/SKILL.md

`shell(command)` — Purpose: Execute shell command ... Example: `success, out, err = agent.shell("ls -la")`

The skill documents a raw shell execution interface, which can run arbitrary local commands if invoked.

User impactA misuse or mistaken instruction could modify files, launch programs, install software, or affect the local environment.

RecommendationTreat shell execution as a privileged action: require explicit approval, limit allowed commands, and run in a sandbox or least-privilege environment where possible.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

metadata

Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.

The registry metadata does not provide a clear source or install contract, even though the artifacts include executable code and documentation for installing dependencies.

User impactUsers may not know which repository, dependency set, or code version they are trusting for a skill that can control browsers, desktops, sessions, and shell commands.

RecommendationInstall only from a verified repository, require pinned dependency files, and ensure registry metadata matches the actual code and installation process.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

docs/FINAL_PRODUCTION_STATUS.md

Status: Ready for GitHub Deployment (7/8 Real + 1 Known Limitation) ... 1 test blocked by VirtualBox environment

This conflicts with other artifact claims such as `15/15 verified tests` and `ALL 8 TESTS VERIFIED & PASSING`, making the production-readiness and verification claims inconsistent.

User impactA user may over-trust the skill's reliability and safety claims despite conflicting evidence in the included documentation.

RecommendationTreat the verification claims as unproven until the maintainer reconciles the documentation and provides consistent, reproducible test evidence.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

README.md

`Storage.getCookies` - Read cookies (for session persistence) ... `for cookie in saved: js = f"document.cookie = '{cookie['name']}={cookie['value']}...'"`

Cookies are session credentials. The documented workflow reads browser cookies and restores them into a browser session.

User impactThe skill may operate with the same authority as the user's logged-in browser accounts, including email, developer, financial, or business services if those sessions are available.

RecommendationRun it in a dedicated disposable browser profile, do not expose sensitive logged-in sessions unnecessarily, and require clear user confirmation before account-affecting actions.