Skillv3.5.0

ClawScan security

tappi · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 21, 2026, 3:30 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill generally matches its stated purpose (local CDP-based browser control) but has several inconsistencies and privacy/exfiltration risks you should be aware of before installing.
Guidance: This package appears to implement what it says (a lightweight CDP CLI) but exercise caution before installing: - The tool requires Node.js/npm and a Chrome/Chromium with --remote-debugging-port; the registry metadata did not declare Node as a required binary — confirm you want to run Node scripts from this skill. - The CLI can read local files (paste --file) and inject files into web pages (upload), and it can execute arbitrary JS in pages (eval). These behaviors are necessary for its features but can expose sensitive files or send data to external sites if misused. Do not run it with a browser profile that has signed-in accounts or sensitive cookies unless you trust the code and environment. - The CDP endpoint defaults to localhost, but CDP_URL can be changed; avoid pointing it at untrusted remote endpoints. - Review the full scripts/browser.js (and any truncated parts) yourself or run in an isolated environment (container or VM) before giving it access to real data or profiles. - If you decide to proceed: run the install step yourself (cd scripts && npm install), inspect installed node_modules (ws), and consider restricting the browser profile used (use a disposable profile or containerized browser).

Review Dimensions

Purpose & Capability: concernThe SKILL.md and embedded scripts implement a local Node.js CLI that talks to a Chrome DevTools Protocol endpoint — this matches the skill description. However, the registry metadata lists no required binaries while SKILL.md instructs you to run `npm install` and run `node` (Node.js/npm are functionally required). That metadata omission is a mismatch and should have been declared. Also SKILL.md claims 'instruction-only' install but includes sizeable JS code that must be installed and run.
Instruction Scope: noteInstructions are narrowly scoped to controlling a Chrome/Chromium instance via CDP (navigate, click, type, upload, eval, screenshot). Those actions are expected for this purpose. Important note: several commands intentionally read local files (paste --file, upload) and run arbitrary JS in page context (eval), which are coherent with the tool's functionality but enable reading local files and interacting with remote websites (potential exfiltration).
Install Mechanism: noteThere is no formal install spec in the registry, but SKILL.md instructs the user to run `cd scripts && npm install`, which pulls the 'ws' package from npm. Using npm is a reasonable choice for a Node CLI, but it is a moderate-risk install path compared with no-install — it writes code to disk and pulls third-party packages. The registry should have declared this requirement.
Credentials: noteThe skill declares no required environment variables, and the code defaults to a local CDP endpoint at http://127.0.0.1:18800 (override via CDP_URL). That is proportionate. Caveat: if CDP_URL is set to a remote endpoint, the tool could talk to a non-local CDP (potential exfiltration). The ability to read files and upload them to web pages is functionally justified but increases privacy risk; these capabilities are powerful and should be used only with trusted profiles and content.
Persistence & Privilege: okThe skill does not request always:true or modify other skills or agent-wide settings. It requires explicit invocation and runs as a local Node CLI; no elevated or persistent platform privileges are requested.