ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Jarvis Browser Setup

v1.0.1

Setup Jarvis Browser Control System for new users. Generates unique WebSocket auth token, configures server, and prepares extension files. Use when user want...

0· 179·1 current·1 all-time
by@evernation

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for evernation/jarvis-browser-setup.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Jarvis Browser Setup" (evernation/jarvis-browser-setup) from ClawHub.
Skill page: https://clawhub.ai/evernation/jarvis-browser-setup
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install jarvis-browser-setup

ClawHub CLI

Package manager switcher

npx clawhub@latest install jarvis-browser-setup
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description claim: create token, configure server, prepare extension and auto-start server. The provided script generates a token and prepares files, which matches, but it does NOT start the WebSocket server nor robustly inject the token into the extension. It also relies on a hard-coded template directory (/home/openclaw/.openclaw/workspace/jarvis-browser-v3.3-hybrid) outside the skill's own workspace — an assumption that may access unrelated files. These mismatches between claim and actual behavior are unexplained.
!
Instruction Scope
SKILL.md promises a fully-automated end-to-end setup (including starting the WebSocket server). The runtime script only creates an output folder, copies templates (if present), updates a single hard-coded ws URL string in extension/config.js, and writes config.json/README. It does not daemonize or launch the server, nor does it reliably place the token into extension files. The script reads/writes files in absolute paths under the OpenClaw workspace and will fallback to a hard-coded IP, which is broader file-system and network access than the SKILL.md makes clear.
Install Mechanism
No install spec — instruction-only skill with a bundled Python script. No remote downloads, package installs, or extracted archives. This is lower risk from an install-mechanism perspective.
Credentials
The skill requires no environment variables or external credentials, which is proportional. However, the script reads from an absolute template path in the user's OpenClaw workspace; that could expose or copy unrelated files if the template path is present. It also reaches out to 8.8.8.8 (UDP) to determine the host IP—an innocuous network probe but worth noting.
Persistence & Privilege
always:false and no special privileges requested. The script writes files into the current working dir (creates an output package) and copies from a workspace folder; it does not modify other skills' configurations or claim permanent presence. Still, copying from another workspace path could touch other skills' artifacts.
What to consider before installing
This skill is not obviously malicious, but it has inconsistencies and risky assumptions you should understand before running it. Things to check/do before installing or executing: - Do not assume the WebSocket server will be started automatically: SKILL.md claims auto-start, but scripts only prepare files and print instructions—you must manually inspect and start the server. Look for and review the actual server file (e.g., server/jarvis_server_v3.5_fixed.py) before running it. - Verify token handling: the script generates a token but does not explicitly inject it into the extension in a robust way. After running, inspect extension/config.js and server config to ensure the token is present only where intended and not accidentally exposed. - Confirm the template path: the script copies files from /home/openclaw/.openclaw/workspace/jarvis-browser-v3.3-hybrid. If that path exists on your system it will be read/copied — ensure those files are safe and don’t contain secrets. If the path does not exist the script will print a warning and do less than the README promises. - Run in an isolated/sandbox environment first (VM or container) and review all generated files (config.json, server/*, extension/*) before exposing any machine or network port publicly. - Be cautious with the generated token: treat it as a secret. Do not share the output folder publicly. If you decide to use this, rotate tokens and restrict network access to the server (firewall, bind to localhost or trusted interface). If you need higher assurance, ask the publisher for the server code (jarvis_server_v3.5_fixed.py) and the extension source so you can audit how authentication is validated and whether any telemetry or external endpoints exist. If you cannot verify those, mark this skill as untrusted and avoid running it on production machines.

Like a lobster shell, security has layers — review code before you run it.

latestvk971xrsv7dmsw9sm6d9pmpzc9s83dk08
179downloads
0stars
2versions
Updated 1mo ago
v1.0.1
MIT-0
@evernation
latest
Download

Jarvis Browser Setup

Setup Jarvis Browser Control System v3.5 for new users with fully automated token generation.

When to Use

Use this skill when:

  • User wants to share browser control with someone else
  • Setting up a new instance for another user
  • Need to generate new unique auth token
  • Preparing distributable package

Key Feature: FULLY AUTOMATED 🎯

The user just says:

"Setup Jarvis Browser for me"

And OpenClaw automatically:

  1. 🔑 Generates unique auth token
  2. 📦 Creates server config
  3. 🚀 Starts WebSocket server
  4. ⚙️ Prepares extension files
  5. ✅ Provides ready-to-use setup

No manual steps required!

For OpenClaw Users (Recommended)

# Install skill
clawhub install jarvis-browser-setup

# Then just say:
"Setup Jarvis Browser for me"
# OpenClaw does everything automatically!

For Manual Setup

python3 ~/.openclaw/workspace/skills/jarvis-browser-setup/scripts/setup.py

Output

  • config.json - Token & IP configuration
  • server/ - Python WebSocket server (auto-started)
  • extension/ - Pre-configured Chrome extension
  • README.md - Setup instructions

Token Format

  • 48 random characters (cryptographically secure)
  • Example: XsJ3N-mAtusZ+WSPr0Ca!ExnVdQ8UuGd8J9PCwo9l8bmX3ACylw6Nv
  • Unique per user

Security

  • Each user gets unique token
  • Token never shared between users
  • Server validates token on every connection

Requirements

  • Python 3.8+
  • Chrome/Edge browser
  • Port 8765 available

Comments

Loading comments...