Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
browser-mcp
v1.0.1使用 Chrome DevTools MCP 协议远程控制 Chrome 浏览器执行网页任务。当用户说"打开网站"、"帮我搜索"、"点进去看看"、"查看详情"、"操作网页"、"打开 ChatGPT/Gemini"等任何需要浏览器自动化执行的任务时触发。支持网站导航、元素交互、表单填写、多步骤跳转、信息提取、SSR...
⭐ 0· 101·1 current·1 all-time
by@nasvip
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (remote control of Chrome via DevTools/CDP) match the SKILL.md: navigation, element interactions, snapshots, etc., legitimately require a DevTools connection. However the instructions also promote attaching to an already-logged-in 'boss' Chrome, SSRF whitelist tweaks, and remote (LAN) CDP access — capabilities that go beyond simple browsing automation and require elevated access to user sessions.
Instruction Scope
The SKILL.md explicitly instructs operators to enable Chrome remote debugging, possibly set --remote-allow-origins=*, open firewall port 9222, and connect over ws://<ip>:9222. It references the user's OpenClaw config path and instructs attaching to an existing logged-in browser (access to cookies, auth sessions). Those steps expose sensitive browser state and network surfaces and are not limited in scope by the manifest.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. Nothing will be written or downloaded by the skill itself, which reduces install-time risk.
Credentials
No environment variables or credentials are declared, yet the skill relies on unrestricted access to the user's existing Chrome session and to the OpenClaw config path. That implicit requirement (reading/controlling a logged-in browser) is high-privilege and not explicitly surfaced in the manifest or rationale.
Persistence & Privilege
The skill recommends persistent platform configuration changes (openclaw.json SSRF whitelist, enabling remote debugging, firewall rules) that can create long-lived network exposure. The skill itself is not always:true, but its recommended configuration changes raise the risk of persistent privilege expansion and external access to the browser session.
What to consider before installing
This skill will attach to and control an existing Chrome browser (including whatever accounts are logged in) by asking you to enable remote debugging and potentially open network access on port 9222. That effectively exposes cookies, session tokens, and any pages open in the browser to the agent/remote hosts. Before installing or running it:
- Only use with a disposable or dedicated Chrome profile that contains no sensitive accounts or cookies. Do NOT attach your primary browser/profile.
- Prefer local-only CDP (cdpUrl bound to 127.0.0.1) and avoid enabling --remote-allow-origins=* or opening port 9222 to your LAN/WAN. If remote access is needed, limit it to a trusted, isolated network and secure tunnels (SSH/VPN).
- Review and backup your openclaw/openclaw.json before applying SSRF whitelist changes; do not add overly broad allowedHostnames or enable dangerouslyAllowPrivateNetwork unless you understand the consequences.
- Ask the publisher for source code or an implementation of the 'browser(action=...)' interface so you can inspect exactly what the skill will execute; the package has no homepage or source link.
- If you cannot verify the origin or audit the implementation, decline or run it in a controlled VM/container with no sensitive data.
Given these ambiguities and the high sensitivity of browser sessions, treat this skill as suspicious unless you can confirm the code and run it in an isolated environment.Like a lobster shell, security has layers — review code before you run it.
latestvk97ex46vz50n4cag2kn0vgckz983jc39
License
MIT-0
Free to use, modify, and redistribute. No attribution required.