PinchTab
WarnAudited by ClawScan on May 18, 2026.
Overview
PinchTab appears to be a legitimate browser-control plugin, but it can operate logged-in browser sessions and forwards OpenClaw session identifiers to its browser server, so it should be tightly scoped before use.
Install only if you need agent-driven browser automation. Keep the default isolated profile, set `allowedDomains`, use a trusted local PinchTab server, avoid the `user` profile for sensitive logged-in accounts, and enable evaluate/download/upload/network features only for narrowly scoped tasks.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could navigate pages, click, type, capture page contents, and—if policies are enabled—run page JavaScript, upload/download files, or inspect network traffic.
The primary tool exposes broad browser-control features. These are central to the plugin purpose and some are policy-gated, but they are high-impact if enabled or used on sensitive sites.
"evaluate", "pdf", "download", "upload", "network", "health"
Keep evaluate, uploads, downloads, and network interception disabled unless needed, and set an allowedDomains list for sensitive workflows.
If the user profile is used, the agent may act inside already logged-in websites and could read or change account data through the browser.
Attaching to an existing browser session gives the agent access to logged-in accounts and cookies. The same configuration example also shows `allowedDomains: []`, meaning all domains are allowed by default.
| `user` | Attach to existing browser session (cookies/logins preserved) |
Prefer the isolated `openclaw` profile, avoid the `user` profile for sensitive accounts, and configure domain allowlists and human approval for account-changing actions.
A configured or compromised PinchTab server could receive internal OpenClaw session identifiers that the user may not expect to leave the agent runtime.
The plugin forwards OpenClaw runtime session identifiers, including `sessionKey`, as HTTP headers to the configured PinchTab server. That boundary is sensitive, especially if `baseUrl` is not strictly local/trusted.
if (context?.sessionKey) headers["X-OpenClaw-Session-Key"] = context.sessionKey;
Use a trusted local PinchTab server where possible, avoid pointing `baseUrl` at untrusted hosts, and consider removing or documenting transmission of session identifiers.
Later tool calls may reuse the previous tab context, which is convenient but can surprise users if tasks switch between websites or accounts.
The plugin keeps in-memory per-agent session state for up to an hour, including last-tab context, to support continuity across tool calls.
const agentSessionMaxAgeMs = 60 * 60 * 1000; const agentSessions = new Map();
Disable `persistSessionTabs` when isolation between tasks is more important than continuity, or manually close/reset tabs between sensitive tasks.
A future container image update could change browser-server behavior without the user noticing.
The optional manual server setup uses an unpinned `latest` container tag, which can change over time.
docker run -d -p 9867:9867 ghcr.io/pinchtab/pinchtab:latest
Pin the PinchTab server image to a specific version or digest for production or sensitive use.