Skillv1.0.0

ClawScan security

AI-Search-Hub · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 15, 2026, 1:30 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement the advertised browser-automation features, but it accesses and copies local browser user-data (potentially exposing session cookies/tokens), omits declared dependency/permission metadata, and contains a static-scan flag (base64 block) — review and run in a sandbox before use.
Guidance: What to consider before installing/running this skill: - This skill will try to reuse your logged-in browser sessions by reading and copying local browser profile directories (Chrome/Brave/Edge/Arc/etc.). Those profiles can contain cookies, local storage, OAuth tokens, and other sensitive session material — review the code and be comfortable with that level of access before running. - The registry metadata does not declare required dependencies (Playwright, a Chromium-family browser) or config paths. You should ensure Playwright and browsers are installed from trusted sources and understand the commands the scripts will run. - The wrapper can either start a new debug browser (after copying a profile) or attach to an existing DevTools endpoint (e.g., http://127.0.0.1:9222). Attaching to an already-running browser gives the script direct control over that browser; avoid pointing it at your primary browser unless you explicitly want that. - A static scan flagged a base64-block. Inspect the repository for any embedded/obfuscated data (search for long base64 strings) and verify their purpose. If you find any non-obvious encoded payloads, treat them as suspicious until decoded and explained. - Recommended precautions: run the skill inside a disposable/sandbox environment or VM; run with an explicitly created test browser profile (use --user-data-source set to a safe test directory, or avoid seeding from your real profile); review and, if needed, modify the copy logic to exclude sensitive files; and inspect network activity while running (e.g., ensure it only contacts the intended target sites and localhost DevTools endpoints). - If you want to proceed but lack the security expertise, ask the maintainer for a minimal manifest that lists dependencies and an explicit explanation of exactly which user-data files are copied. If the skill's owner cannot justify the base64 entry or the missing dependency metadata, avoid running it on sensitive hosts.
Findings: [base64-block] unexpected: Static scan found a base64-block pattern in SKILL.md or other files. The visible files mostly contain readable Python and Markdown; a base64 block is not expected for straightforward browser automation. This could be an obfuscated payload or a false positive (e.g., an embedded data URI in README badges). Recommend searching the repo for base64 strings and verifying their purpose before running.

Review Dimensions

Purpose & Capability: noteThe name/description (browser automation for multiple chat/search sites) matches the included Playwright scripts and the wrapper. Accessing browser binaries, DevTools (CDP), and copying a browser profile is coherent with the stated goal of reusing logged-in sessions. However, the skill does not declare required binaries or config paths (no Playwright or Chromium binary listed, no config paths declared) even though the code expects Playwright and local browser user-data directories — an omission that reduces transparency.
Instruction Scope: concernSKILL.md explicitly instructs the agent to 'seed an isolated debug profile from the user's local browser data', attach to CDP on 127.0.0.1:9222, detect and wait for manual login, and then continue. The included scripts implement logic to discover guessed user-data directories, copy user profile data into a debug profile, and attach/start Chromium with a remote-debugging port. That means the runtime will read large parts of the user's browser profile (cookies, Local State, etc.) — a scope that goes beyond simple HTTP automation and can expose many session tokens.
Install Mechanism: noteThere is no install spec (instruction-only at registry level) but repository contains executable Python scripts that depend on Playwright and a Chromium-family binary. The skill does not declare these dependencies in metadata; the environment must already have Playwright and browsers installed. This mismatch is a transparency/usability issue (and a potential security hazard if users attempt to satisfy implicit install steps from untrusted sources).
Credentials: concernThe registry lists no required environment variables or config paths, yet the code reads and copies local browser user-data directories (home-based Chrome/Brave/Edge profiles). Those directories often contain sensitive tokens, cookies, and other state. While this access is functionally justified to reuse logged-in sessions, it is broad and potentially exposes credentials across many sites. No explicit credential scoping or warning is present in metadata.
Persistence & Privilege: noteThe skill does not request always:true and does not appear to modify other skills or system-wide agent settings. It will create an isolated debug profile and write logs/output under the repo (e.g., chrome_startup.log, out/*, debug profile dir). It can also be directed to attach to an existing CDP endpoint — which, if you point it at a running browser's DevTools, grants the script control over that browser session. This is powerful but explained in SKILL.md; combine with the user-data access it increases blast radius.