ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Browser Vps Setup Skill

v1.0.0

Set up a remote-controlled Chrome browser on a Linux VPS with noVNC visual access (via SSH tunnel) and optional authenticated HTTP proxy. Use when the user w...

0· 529·0 current·0 all-time
by@osipov-anton
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (remote-controlled Chrome + noVNC + optional proxy) match the SKILL.md steps: installing Xvfb/x11vnc/noVNC, launching Chrome with remote debugging, and exposing noVNC bound to localhost for SSH tunneling. Required privileges (sudo/root) and apt (Debian/Ubuntu) are declared in the header and needed for the described operations.
Instruction Scope
Instructions stay within the stated purpose (install VM display, VNC, noVNC, launch Chrome, configure openclaw.json, optional proxy bridge). However some runtime commands expand the attack surface: launching x11vnc with -nopw (no password) even though bound to localhost, running websockify and services as background processes, and recommending Chrome with --no-sandbox. The optional Python proxy injects Proxy-Authorization into requests and runs a long-lived socket server — that component handles sensitive credentials and network traffic and is outside typical simple setup steps.
Install Mechanism
This is instruction-only (no install spec), which minimizes hidden installs. The SKILL.md downloads Google Chrome directly from dl.google.com (official). Still, the instructions write and execute packages on the VPS (apt/apt-get, wget + .deb), so the user is ultimately executing remote-sourced code — expected for this task, but it merits normal caution (verify package source/signature).
!
Credentials
The skill requests no environment variables or external credentials in the registry metadata, but the optional proxy step requires upstream host/port/username/password to be embedded into a one-liner Python server. That is sensitive and the SKILL.md does not advise secure secret handling (e.g., use environment variables, config files with restricted permissions, or a vetted PAC/proxy client). Also running Chrome with --no-sandbox increases risk of privilege escalation in case web content is malicious.
Persistence & Privilege
always:false and default autonomous invocation are appropriate. The skill requires root/sudo and asks to edit ~/.openclaw/openclaw.json — both are expected for configuring the agent. Still, the combination of running Chrome with --no-sandbox and backgrounding VNC/websockify services increases long-lived attack surface; consider running under a dedicated, limited user or container and ensure services remain bound to localhost and protected by firewall/SSH tunnel.
Assessment
This skill appears to do what it says (set up a controllable Chrome on a VPS), but it uses several risky operational choices you should review before installing: 1) Chrome is launched with --no-sandbox (dangerous when browsing untrusted sites); avoid this if you can or run Chrome as an unprivileged user or inside a dedicated container/VM. 2) x11vnc is started with -nopw (no password) — the author limits exposure by binding to localhost, but ensure ports are not publicly reachable and only use SSH tunnels from trusted machines. 3) The optional proxy bridge requires embedding proxy credentials into a running Python one-liner: don’t paste secrets into a shell history or shared commands; prefer storing credentials in a file with strict permissions or using a vetted proxy client that supports authenticated upstreams. 4) Running services as root and installing .debs from the network is expected here but increases risk; verify downloads, prefer package-managed installs if available, and isolate this workload from other systems. 5) After setup, an agent and any user with access to the gateway/browser can control the browser (navigate pages, run JS, download). Limit the agent’s permissions and avoid visiting sensitive internal services with the provisioned browser. If you plan to proceed, consider: running the stack under a dedicated user or container, enabling proper authentication for VNC/noVNC, handling proxy credentials securely (not inline), and keeping the Chrome sandbox if possible.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e1qzh3kjr7gjaftsktpq3f181fcq8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments