Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Reach

v0.2.0

Agent web interface. Browse websites, fill forms, login to services, sign transactions, send/receive email, solve CAPTCHAs, and interact with the web autonom...

⭐ 0· 157·0 current·0 all-time

by@potdealer

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

high confidence

Purpose & Capability

The name/description (web/browser automation, forms, email, signing, payments) aligns with the included code and primitives. However the registry metadata lists no required environment variables or credentials while SKILL.md and source reference sensitive variables (PRIVATE_KEY, RPC_URL, CAPSOLVER_API_KEY, RESEND_API_KEY, GITHUB_TOKEN). That mismatch (declaring no credentials vs. code clearly needing them) is inconsistent and unexpected.

Instruction Scope

SKILL.md and the code instruct the agent to run local servers (MCP, webhook server), persist user data (cookies, inbox, screenshots, state under data/), auto-solve CAPTCHAs via a third-party solver, send and receive email, sign transactions and send payments, and interact with arbitrary websites. These instructions go well beyond simple read-only browsing and can access and transmit sensitive information. The instructions also rely on running node scripts in the package (e.g., node src/mcp.js), and include steps that will store persistent files locally.

Install Mechanism

The registry lists no install spec, yet the package contains a package.json and package-lock.json with heavy native/user-level dependencies (playwright, ethers, node-fetch, dotenv). That means installing/running the skill will require npm install and Playwright browser binaries — substantial code execution on the host — but the registry provided no automated install guidance or declared risks. The dependencies themselves are from standard registries (npm) and appear legitimate, but the absence of an install spec is an incoherence that reduces transparency.

Credentials

SKILL.md and source files expect several highly sensitive environment variables (PRIVATE_KEY for signing/payments, RPC_URL, CAPSOLVER_API_KEY for CAPTCHA solving, RESEND_API_KEY for sending mail, GITHUB_TOKEN for API access). Those variables are proportionate to the features offered, but the registry metadata incorrectly declares none required and does not declare a primary credential. Requiring a private key and multiple tokens without declaring them up-front is a serious mismatch and increases the risk of accidental secret exposure.

ℹ

Persistence & Privilege

The skill persists cookies, session files, inbox JSON, screenshots, and state under data/. It starts a local webhook server to receive inbound email/webhooks. It does not set always:true and doesn't appear to modify other skills, but persistence and webhook exposure mean data handled by the skill remains on disk and could be used later. Consider the blast radius if the agent is allowed to run autonomously while these files exist.

What to consider before installing

This skill includes real code that will run locally (Playwright, ethers, mailbox/webhook code) and offers powerful capabilities: automated logins, CAPTCHA solving via a third-party service, sending/receiving email, signing transactions and making payments, and persisting cookies/state to disk. Before installing, consider the following: - Mismatch: the registry claims no required env vars, but SKILL.md/source expect PRIVATE_KEY, RPC_URL, CAPSOLVER_API_KEY, RESEND_API_KEY, GITHUB_TOKEN. Treat that as a red flag and ask the publisher to reconcile metadata. - Secrets: do NOT provide a real wallet PRIVATE_KEY or high-value credentials. If you want to test, use an ephemeral wallet with minimal funds and throwaway API keys. - Isolation: run the skill in a contained environment (dedicated VM or container) because installing/using it requires npm install and Playwright and will persist files under data/. - Webhooks & external services: the webhook server and remote inbox will accept inbound network requests; verify endpoints (CapSolver, Resend, ExoHost) and consider network restrictions if you don't trust the publisher. - Review code paths that handle signing/payments, authenticate flows, and webhook handlers (primitives/sign.js, primitives/authenticate.js, utils/webhook-server.js, primitives/captcha.js, primitives/email.js). Look for any unexpected external endpoints or hard-coded secrets. - If you require the functionality but want lower risk: run without PRIVATE_KEY and without CAPSOLVER/RESEND keys, which will disable payment and third-party services; or request a version with explicit minimal-surface mode (read-only browsing, no signing/email/webhook). Because the skill requests multiple sensitive integrations but the registry metadata omits them, treat this as suspicious until the author provides corrected metadata and a clear trust/audit story.

✗

src/cli.js:390