ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Browser Auth

v1.6.0

Start a secure remote browser tunnel for manual user authentication (solving Captchas, 2FA, logins) and capture session data. Built for AI Commander.

0· 1k·2 current·2 all-time
byCoder AI@lksrz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code, required binaries (node, chromium-browser), and npm deps (express, socket.io, playwright-core) match the stated purpose of launching a local headless Chromium and streaming control/screenshots for manual authentication. However the SKILL.md claims a default local bind of 127.0.0.1 and 'No Persistence', while the runtime behavior differs (see instruction_scope and environment_proportionality).
!
Instruction Scope
Runtime instructions align with the code's workflow (start server, share link, verify, delete session file). BUT the server, when invoked without AUTH_HOST set, binds to 0.0.0.0 by default (code: host = process.env.AUTH_HOST || '0.0.0.0') contrary to the SKILL.md claim. The code writes sensitive session data (cookies and localStorage) to a local session file without encryption and does not auto-delete it. The server prints an access link containing the token to stdout, which can leak the token via logs. These behaviors broaden the exposure surface beyond what's described.
Install Mechanism
The provided install step uses a standard npm install (express, socket.io, playwright-core). This is a common pattern for Node skills and is traceable to npm; it is not an arbitrary download. Installing playwright-core is moderately heavyweight and will require network access to the npm registry, but no untrusted URLs or extract-from-URL steps are present.
!
Credentials
The registry lists no required env vars, but SKILL.md and the code reference AUTH_HOST, AUTH_TOKEN, and BROWSER_PROXY. If AUTH_HOST is unset the code will bind publicly (0.0.0.0). The skill captures and persists session cookies/localStorage to disk (session.json) — highly sensitive data that the documentation downplays by saying 'No Persistence'. Requiring no credentials is coherent, but the combination of token-in-query links and token logging increases risk if the host is exposed.
!
Persistence & Privilege
The skill does not request platform-wide privileges and always:false (not force-included), which is good. However it persists sensitive artifacts to the filesystem, prints the access link/token to stdout, and — via its default host behavior — can expose the server to the network unintentionally. Those factors increase privilege/exposure risk in practice even though the skill does not modify system-wide configs.
What to consider before installing
This skill largely does what it says (launches a headless Chromium and captures cookies/localStorage), but several details are risky or inconsistent with its documentation. Before installing or running it: - Treat the session file (session.json) as highly sensitive — delete it immediately after use and restrict file permissions. - Always explicitly set AUTH_HOST=127.0.0.1 when starting the server (do not rely on defaults) to avoid accidental public exposure. - Always set an explicit AUTH_TOKEN and share it over a secure channel; do not rely on auto-generated tokens if running in insecure environments. - Run the skill inside an isolated environment (dedicated VM or container) and firewall the host/port; do not run on a host with public network access without a secure tunnel (SSH/Tailscale/Cloudflare Tunnel). - Be aware the server prints the access URL/token to stdout — avoid running it where logs are collected or visible to others. - Review the code and confirm npm packages will be installed from the official registry; consider installing dependencies in an isolated environment. Given the mismatches (public bind default, on-disk persistence, token logging), proceed only if you understand and mitigate these risks. If you need, ask the author to change the default host to 127.0.0.1, avoid printing tokens in cleartext, and add an option to encrypt or avoid writing session data to disk by default.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dryed12z0xq88dtm0n6841n81dwrh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode, chromium-browser

Comments