Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Browser Relay
v0.2.2通过 HTTP relay 控制用户本地 Chromium 浏览器(绕过数据中心 IP 封锁),支持截图发送到 Telegram
⭐ 0· 832·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's description (local Chromium relay + Telegram screenshots) matches the included code (relay.py + start.sh). However the registry metadata claims no required binaries/env vars while the SKILL.md and start.sh clearly require system binaries (chromium/chromium-browser, python3, curl, pip) and a Python runtime + dependencies. The metadata omission is an incoherence: a user installing this should expect to need Chromium (with remote debugging) and Python tooling.
Instruction Scope
SKILL.md instructs agents to use /evaluate only for UI automation and to avoid reading cookies/localStorage/passwords; but the relay's /evaluate endpoint (relay.py) executes arbitrary JavaScript in the browser context and returns results to the caller. That capability can read DOM, cookies, localStorage, and any data accessible to the page. The safety rules are advisory and not enforced by the server, so a malicious or misconfigured agent could extract sensitive data and transmit it elsewhere (even if SKILL.md forbids it). The skill also instructs launching Chromium with --remote-allow-origins=* which relaxes browser protections and increases attack surface.
Install Mechanism
There is no formal install spec (instruction-only), but code files are included. The code and start.sh operate locally (no remote downloads in the provided files). This lowers supply-chain risk compared to downloading arbitrary artifacts, but running start.sh/relay.py will write files and run network connections (to Chromium CDP and Telegram). The repository expects pip install -r requirements.txt (aiohttp, websockets) but that is only in docs, not enforced by an install spec.
Credentials
The skill does not request environment variables in metadata, which is consistent with the included code. It does rely on optional Telegram bot credentials (TG_BOT_TOKEN, TG_CHAT_ID) for sending screenshots — those are reasonable for the Telegram feature but are not required by the skill to function. There is no request for unrelated cloud credentials. However the skill instructs reading /tmp/browser-relay-token and caching it in session_state; if the implementation also writes other sensitive data (not evident in the truncated file), that could be an issue. The number and type of secrets requested is proportionate, but the ability to read arbitrary page data via /evaluate makes the effective scope of sensitive data access larger than the metadata implies.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent config. It creates and uses local artifacts (PID file, token file, log file) under /tmp and a screenshots directory under the repo, which is expected for a local relay. This level of persistence is proportionate to its functionality.
What to consider before installing
This skill appears to be what it says (a local HTTP→CDP relay) but has important security caveats you should understand before installing:
- Required system binaries: SKILL.md/start.sh require Chromium (with --remote-debugging-port=9222 and --remote-allow-origins=*), python3, pip, and curl. The registry metadata did not list these — make sure your environment meets these requirements and that you understand the security implications of --remote-allow-origins=*.
- Arbitrary JS execution: The relay exposes an /evaluate endpoint that runs arbitrary JavaScript in the browser context and returns results. Although the SKILL.md asks agents not to read cookies/localStorage/passwords, that restriction is advisory only. Any caller that obtains the token (or an agent that misbehaves) can exfiltrate DOM, cookies, localStorage, or other sensitive data.
- Local token handling: The skill uses a startup token file (e.g., /tmp/browser-relay-token). Inspect relay.py to confirm it creates the token file with secure permissions (SKILL.md claims 0600). Do not run the relay as a privileged user. Prefer an isolated environment (VM/container) and a browser profile without sensitive logins.
- Telegram usage: If you enable the Telegram screenshot feature, use a dedicated minimal-permission bot and a chat dedicated to this purpose. Do not reuse tokens for bots that control sensitive channels.
- Trust boundary: This skill relies on the agent and user to follow the documented constraints; those constraints are not enforced by the code. Only run this if you trust the agent and any callers on the machine, and consider running the relay inside an isolated VM/container and using an ephemeral browser profile.
- Recommended actions before installation: review the full relay.py to confirm where and how the token file is written and whether any unexpected network endpoints are contacted; update registry metadata to declare required binaries; run the relay in a sandbox; and limit access to the machine so that only trusted processes can call 127.0.0.1:18792.
If you want a lower-risk alternative, consider automating via a headless browser on a separate controlled VM that does not contain your personal logins, or use remote automation that does not allow arbitrary JS execution in a profile with sensitive cookies.Like a lobster shell, security has layers — review code before you run it.
latestvk970rhzan9f0cmgyg7qxhntvzx81f0ss
License
MIT-0
Free to use, modify, and redistribute. No attribution required.