Skillv1.0.0

ClawScan security

Browser Automation 1 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 7, 2026, 1:47 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's stated purpose (browser automation) is plausible, but the instructions and included support files contradict the declared requirements and imply external API usage and persistent local state — the package appears incomplete and demands secrets/files it did not declare.
Guidance: This skill is internally inconsistent and requires caution. Before installing or running it: 1) Do not provide API keys or credentials until you confirm the skill's code and provenance — the docs reference ANTHROPIC_API_KEY but the skill metadata does not declare it. 2) Treat the .chrome-profile and ./agent/downloads/ behavior as persistent storage for cookies and files; if you run it, use an isolated/ephemeral environment or remove the profile directory afterward. 3) The bundle lacks source code and a trustworthy install method (setup.json asks you to npm install/link, but no package code is included) — ask the publisher for the full source, a verifiable homepage/repository, and a reproducible install manifest. 4) If you must test it, run in a sandboxed VM or container with no real credentials and no sensitive browser profiles, and monitor outbound network traffic (the tool appears to rely on an external AI model which may receive page content). 5) If you cannot verify origin or inspect the implementation, do not install or supply secrets; consider rejecting the skill until the author provides a complete, auditable package and clear declarations of required env vars and data flows.

Review Dimensions

Purpose & Capability: concernThe name/description (browser automation) matches the SKILL.md capabilities (navigate, extract, fill, screenshot). However the skill declares no required binaries or env vars while its docs and setup.json clearly expect a global 'browser' CLI, a local Chrome installation, Node.js dependencies, and an ANTHROPIC_API_KEY. That mismatch is disproportionate and unexplained.
Instruction Scope: concernThe runtime instructions and examples instruct the agent to: launch Chrome with a persistent profile (.chrome-profile/), automatically download files to ./agent/downloads/, and perform authenticated logins (examples include filling passwords). The REFERENCE explicitly says AI model (Anthropic Claude Haiku) is used to interpret page actions — meaning page content and possibly credentials may be sent to an external model. The SKILL.md does not declare or limit this telemetry, so the instruction scope goes beyond simple local automation and may expose sensitive data.
Install Mechanism: concernThere is no formal install spec in the skill bundle, yet setup.json instructs users to run npm install and npm link and to ensure a globally linked 'browser' command. The package files present (package-lock.json empty, no source files) suggest the implementation is missing from the bundle or the skill expects an out-of-band install step from an unknown source. That is incoherent and increases risk because installing arbitrary npm packages from an unknown origin is high-risk.
Credentials: concernThe skill's declared requirements list no environment variables, but setup.json explicitly demands ANTHROPIC_API_KEY and the docs reference launching Chrome with a user-data-dir (persistent cookie/session storage). Requesting an external model API key and persisting browser profile data are high-privilege operations that are not proportional to the skill's explicit metadata and were not declared up front.
Persistence & Privilege: noteThe skill does not set always: true and does not claim to modify other skills. However it preserves a Chrome profile (.chrome-profile/) and writes downloads/screenshots to agent directories, meaning it will persist session cookies, local storage, and any downloaded files across runs — a surprising persistence behavior that can leak credentials or session tokens if not expected.