Skillv1.0.0

ClawScan security

Camofox Browser · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 15, 2026, 3:04 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The code and runtime instructions largely match a headless-browser server, but there are multiple places where sensitive environment variables and subprocess spawning are handled in ways that could forward host secrets or enlarge the attack surface — review how the plugin launches the server and which envs are passed before installing.
Guidance: This package appears to be a real headless-browser server, but there are a few non-trivial security considerations you should check before installing or running it in your OpenClaw agent environment: - Inspect plugin.ts / the OpenClaw integration entrypoint to confirm how the server subprocess is launched. Specifically ensure it does NOT forward the entire host process.env into the server child process. A safe launcher should build an explicit whitelist of only the environment variables the server truly needs (CAMOFOX_PORT, CAMOFOX_COOKIES_DIR, etc.) and exclude unrelated host secrets. - Treat CAMOFOX_API_KEY, proxy credentials (PROXY_USERNAME/PROXY_PASSWORD), and cloud tokens (FLY_API_TOKEN, etc.) as sensitive. If you enable cookie import or proxy features, set these in isolated container/VM secrets (not in a general shell profile) and prefer starting the server manually in that environment rather than letting the plugin spawn it inside a host process that has many other secrets. - The cookie-import flow reads local Netscape-format files and posts cookie data to the server. The code enforces an allowlist directory and file-size limits, which is good — still, only place cookie files you trust into the configured cookies directory. - The project downloads/uses external browser binaries (Camoufox) and optionally yt-dlp; verify the download sources (URLs) before running, and prefer sandboxed execution (separate VM or container) for initial evaluation. - If you do not fully trust the source, run the server in an isolated environment (container/VM) with minimal environment variables set, do not set global CAMOFOX_API_KEY on your workstation, and review plugin launch behavior carefully. If you want, provide the plugin author or repo URL so you can audit plugin.ts and server.js specifically — the assessment would be higher-confidence if those files are reviewed in full.
Findings: [dangerous-exec] expected: lib/launcher.js imports child_process and calls spawn (aliased). This is expected: the plugin launches the server as a subprocess. It's CRITICAL in generic scanners but coherent here if subprocesses are limited to server and yt-dlp, and if envs forwarded are controlled. [dangerous-exec] expected: lib/youtube.js (documented in SKILL.md and README) uses child_process to call yt-dlp. This is expected for extracting transcripts without API keys, but subprocess use should follow the whitelist-env rule described in CONTRIBUTING.md.

Review Dimensions

Purpose & Capability: okThe files and APIs match the stated purpose: a headless-browser REST server with snapshotting, element refs, cookie import, downloads, proxy support, and optional yt-dlp integration. Modules (cookies, proxy, downloads, snapshot, macros) are coherent with the description.
Instruction Scope: concernSKILL.md instructs agents to read local cookie files and POST them to the server (cookie import). The implementation includes path traversal checks and file-size limits, which mitigates some risk, but the overall flow still requires an API key and allows reading local cookie files (sensitive). The README/SKILL.md also documents many env vars (API key, proxy creds, Fly tokens) that the server will read and use; if those are exposed to the plugin process or forwarded to subprocesses, secrets could be leaked. The guide's claim that server.js contains no process.env / child_process seems intended to satisfy scanners, but the codebase does spawn subprocesses (launcher.js, youtube.js) and centralizes env reads in lib/config.js — you'll want to inspect exactly how plugin.ts / openclaw integration launches the server at runtime.
Install Mechanism: noteThis is instruction-only in the registry (no install spec), which reduces automatic install risk. The README references downloading a large Camoufox binary (~300MB) and a Docker build that expects pre-fetched binaries — those downloads are external and should be verified (source URLs not included in the registry metadata). No packaged install script in the skill was provided.
Credentials: concernThe centralized config (lib/config.js) reads many environment variables (CAMOFOX_API_KEY, CAMOFOX_ADMIN_KEY, PROXY_USERNAME/PASSWORD, FLY_API_TOKEN, etc.). lib/config.js exposes a serverEnv object containing these values. launcher.js spawns a subprocess and spreads a provided env object into the child (env: { ...env, CAMOFOX_PORT: String(port) }), which means if the plugin or launcher is given the full host process.env, secrets could be forwarded to the server subprocess. These environment variables are functionally relevant to proxying, cookie import, and cloud deploy, but the skill metadata lists no required envs — so the skill expects sensitive secrets if you enable features. Ensure the plugin uses an explicit whitelist and does not pass the entire host environment.
Persistence & Privilege: notealways is false. The skill is user-invocable and allows autonomous model invocation (default), which is normal for skills. The ability to spawn and manage a long-running local server subprocess increases blast radius if the plugin is invoked autonomously and is given broad env access — consider restricting agent autonomy or running the server in an isolated environment if you plan to give it sensitive envs or proxy credentials.