auto-fill
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: auto-fill Version: 1.0.0 The skill bundle (SKILL.md) instructs the agent to perform high-risk actions including executing shell commands to launch Chrome with remote debugging enabled and modifying the local IDE configuration file (~/.cursor/mcp.json) to install MCP servers. It also explicitly tells the agent to bypass user confirmation when starting processes or navigating to websites (e.g., Wise, Creem). While these actions are aligned with the stated goal of form automation, the instructions to modify system configurations and execute background processes without explicit user consent represent a significant security risk.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could navigate to an unintended website and begin filling information there before the user has clearly confirmed the target.
The agent is instructed to guess the destination and navigate directly instead of getting an explicit URL or confirmation, which can put user-provided form data on the wrong site.
根据用户的描述推断目标 URL,直接 `browser_navigate` 过去,不要问用户要链接
Require the user to provide or confirm the exact URL/domain before filling any fields, especially for accounts, payments, registrations, or sensitive forms.
The agent may be able to view and interact with pages where you are logged in, including private account or business forms.
The skill intentionally uses real Chrome/CDP and avoids the sandbox because it lacks login state, so the agent may operate inside authenticated browser sessions.
所有浏览器操作必须使用 **`playwright-cdp` 的工具**(连接真实 Chrome)... 沙盒浏览器,没有登录态
Use an isolated Chrome profile when possible, verify the active account and domain before invoking the skill, and avoid using it on highly sensitive accounts unless necessary.
Future installs or reloads could run a different version of the MCP package than the one originally reviewed.
The setup uses npx with '-y' and an unpinned '@latest' package in a persistent MCP config, so the actual code run can change over time.
"command": "npx", "args": ["-y", "@playwright/mcp@latest", "--cdp-endpoint", "http://127.0.0.1:9222"]
Pin the MCP package version and review the MCP configuration before reloading or enabling it.
Private information visible on the page or entered into the form may be exposed to the agent context during the task.
The skill brings page structure and screenshots into the agent workflow; this is necessary for form filling but can include private page content or entered form data.
`browser_snapshot` ... 获取无障碍树 ... `browser_take_screenshot` ... 展示填写结果
Use it only on pages whose contents you are comfortable sharing with the agent, and avoid unrelated sensitive tabs or pages.
A debug-enabled browser may keep running after the task, allowing local tools or processes to continue controlling that temporary Chrome profile.
The workflow starts a debug-enabled Chrome process in the background and does not provide a matching stop, cleanup, or user-approval step.
nohup /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --remote-debugging-port=9222 --user-data-dir="/tmp/chrome_debug_profile" > /tmp/chrome_debug.log 2>&1 &
Ask before starting background Chrome, document how to stop it, and clean up the temporary profile and log after use.