Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
xvfb-chrome
v1.0.2在Linux服务器上使用Chrome浏览器(无头/有头模式)配合xvfb运行,可连接chrome-devtools MCP进行浏览器自动化
⭐ 0· 533·2 current·2 all-time
byRyan@codinglink
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the SKILL.md: it is a how-to for running Chrome with Xvfb and connecting DevTools/MCP. However the skill does not declare any required binaries even though the instructions rely on google-chrome (or chrome), Xvfb/xvfb-run, and a non-standard tool 'mcporter'. The omission of required binaries/config is an incoherence (likely oversight) that could mislead users about what must be present.
Instruction Scope
Instructions stay within the claimed purpose (starting Chrome, binding to Xvfb, using DevTools via MCP). They do include system-level commands (pkill, killall, ps aux) and reference paths like /tmp and /root and the local debug endpoint. The guide also recommends --no-sandbox and exposing the remote-debugging port which are operationally risky but relevant to the task. The instructions assume the presence of an MCP tool (mcporter) without declaring it.
Install Mechanism
This is instruction-only and has no install spec or downloads, which limits supply-chain risk. That said, it assumes several external binaries are installed; because nothing is installed by the skill itself, there's no direct installation risk from the skill bundle.
Credentials
The skill declares no environment variables or credentials and the instructions do not attempt to read unspecified secrets. This is proportionate. Note: it uses filesystem paths (e.g., /tmp, /root) and a localhost debug port; these are operational choices but not undeclared secret access.
Persistence & Privilege
The skill is not always-enabled and does not request special persistence or modify other skills. It is user-invocable only and can be invoked autonomously (platform default), which is expected for a runtime helper.
What to consider before installing
This is a coherent how-to for running Chrome under Xvfb, but review before running: 1) The SKILL.md expects google-chrome (or chromium), Xvfb/xvfb-run, and a third-party MCP client 'mcporter'—the skill metadata doesn't list these required binaries; ensure you have trusted versions installed. 2) The guide recommends --no-sandbox and enabling --remote-debugging-port; both reduce browser isolation and can expose a debugging interface if not bound to localhost—do not expose the port to untrusted networks and avoid running as root. 3) Paths like /root/screenshot.png indicate actions that may require elevated permissions; prefer non-root paths. 4) 'mcporter' is not a standard system tool—verify its origin and trustworthiness before invoking it. 5) Because the skill is instruction-only, it won't install code automatically, but the shell commands it suggests perform powerful operations (process killing, starting services, file writes); run them in a controlled environment (container or non-production server) and inspect commands first.Like a lobster shell, security has layers — review code before you run it.
latestvk97c1cj2nsd8vyahjscnjbsb8d81xkgf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.