auto-browser
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: auto-browser Version: 1.0.0 The 'auto-browser' skill is classified as suspicious because its instructions (SKILL.md) direct the agent to execute a shell command to launch Chrome with remote debugging enabled (CDP) without seeking user confirmation ('直接启动,不问用户'). Furthermore, it instructs the agent to modify the sensitive IDE configuration file '~/.cursor/mcp.json' to add a new MCP tool. While these actions are functionally related to browser automation, the explicit instruction to bypass user consent for process execution and the modification of system-level configuration files represent high-risk behaviors.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could read or act inside websites where you are logged in, not only public pages.
The skill plans to operate through a real Chrome session that may already be authenticated, giving the agent delegated access to user accounts across websites.
所有浏览器操作使用 user-playwright-cdp 的工具(连接真实 Chrome,保留登录态)。
Use a dedicated browser profile for automation, avoid sensitive accounts, and require explicit confirmation for any account-changing action.
A browser debugging endpoint may remain running after the task, allowing continued local automation of that Chrome profile.
The skill tells the agent to start a background Chrome debugging process without asking the user and does not describe stopping or cleaning it up.
❌ 无响应 → 直接启动,不问用户: ... nohup ... --remote-debugging-port=9222 ... --user-data-dir="/tmp/chrome_debug_profile" ... &
Ask before starting Chrome Debug mode, use a dedicated temporary profile, bind explicitly to localhost, and provide a clear cleanup command.
Future runs may execute changed external code with access to browser automation and page data.
The setup uses npx to run the latest version of an external MCP package and stores it in persistent MCP configuration, without pinning a reviewed version.
如果 ~/.cursor/mcp.json 里没有 playwright-cdp 配置,添加: command: npx, args: ["-y", "@playwright/mcp@latest", "--cdp-endpoint", "http://127.0.0.1:9222"]
Pin the MCP package version, review the package source, declare the dependency in installation metadata, and avoid @latest for persistent tool configuration.
JavaScript run inside a page could read or modify page state more broadly than a normal click or form fill.
The skill exposes a raw page-JavaScript fallback. This is useful for browser automation, but it can bypass normal UI boundaries on authenticated pages.
执行 JS | browser_evaluate | 页面没有暴露 UI 时的后备手段
Prefer snapshot-guided UI actions, and ask the user before using browser_evaluate on sensitive or logged-in pages.
The MCP server may receive page structure, screenshots, and data from logged-in sites during automation.
Browser commands and page observations flow through an MCP server connected to the local CDP endpoint. This is expected for the skill, but it is a sensitive data boundary.
"playwright-cdp": { "command": "npx", "args": ["-y", "@playwright/mcp@latest", "--cdp-endpoint", "http://127.0.0.1:9222"] }Use only a trusted local MCP server, keep it version-pinned, and avoid using the skill on pages containing highly sensitive information unless necessary.