Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Openclaw Browser Automation 1.0.1
v1.0.0Automate web browser interactions using natural language via CLI commands. Use when the user asks to browse websites, navigate web pages, extract data from w...
⭐ 0· 87·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The stated purpose—automating browser interactions—is consistent with the commands and examples in the docs. However the registry metadata claims no required env vars or binaries while the SKILL.md and setup.json clearly expect Chrome, npm/npm link, and API keys (ANTHROPIC_API_KEY and optional BROWSERBASE_API_KEY/BROWSERBASE_PROJECT_ID). This mismatch is an inconsistency the author should justify.
Instruction Scope
Runtime instructions instruct the agent/operator to run npm install and npm link, launch Chrome with remote-debugging on port 9222 and use a persistent profile directory (.chrome-profile), and to save downloads/screenshots under ./agent/. Those actions persist session cookies, downloads, and other browser state to disk and automatically choose remote vs local mode based on API keys found in a .env file (with no user prompt). The docs also say the tool uses an AI model (Claude Haiku) for element selection. The instructions therefore access local filesystem state and secrets (.env), persist sensitive data, and enable a remote control interface (CDP) — all of which are broader than the registry metadata indicates.
Install Mechanism
There is no install spec in the registry (instruction-only), but the included setup.json and SKILL.md instruct users to run npm install and npm link. Running those commands will fetch and build whatever dependencies are declared in package.json (which is not included in the package contents provided), so the actual code/run-time dependencies are unknown. This creates risk because arbitrary code could be installed/executed when following setup instructions.
Credentials
The skill metadata declared no required environment variables, yet SKILL.md/setup.json reference ANTHROPIC_API_KEY (required per setup.json) and optional Browserbase keys (BROWSERBASE_API_KEY and BROWSERBASE_PROJECT_ID). Those keys are plausible needs (model API for AI-driven element selection, remote browser provider), but the registry should have declared them. Also the tool uses and preserves a local Chrome profile directory and download directory, which means it will read/write potentially sensitive local data (cookies, session tokens, downloaded files).
Persistence & Privilege
The skill does not force-enable itself (always:false), but its workflow explicitly creates and reuses persistent state: .chrome-profile (session cookies), ./agent/downloads (downloaded files), and ./agent/browser_screenshots (images). It also launches Chrome with remote debugging on port 9222 (CDP) which, if accessible, could be used by other local processes to control the browser. These behaviors have privacy and persistence implications and should be made explicit to users.
What to consider before installing
This package appears to do what it says (automate browsers), but the published metadata omits several important requirements and privacy-impacting behaviors. Before installing or running it: (1) Inspect the package's package.json and dependency list (npm install will fetch unknown code). (2) Be prepared to provide an ANTHROPIC_API_KEY and optionally Browserbase keys; only provide keys you trust the code/provider to use. (3) Understand the tool will create a persistent Chrome profile (.chrome-profile) and save downloads/screenshots under ./agent/, which can store cookies, sessions, and downloaded files — delete these when finished if they contain sensitive data. (4) Running npm link will add a global 'browser' command that executes project code; only do this for code from a trusted source. (5) Note that launching Chrome with remote-debugging on port 9222 exposes a CDP endpoint — ensure it's bound to localhost and not accessible remotely. (6) Because the skill has no provenance/homepage and the registry metadata conflicts with its own docs, treat it as untrusted until the author clarifies the discrepancies or provides the actual package code for review.Like a lobster shell, security has layers — review code before you run it.
latestvk97d1zgy7gv5b4hpg8mrh0kcgn83v5k2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.