ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Browser Demo Recorder

v1.1.0

Record browser demo videos from a plain-language brief by turning the requested flow into a plan, driving the OpenClaw browser via CDP, encoding an MP4, writ...

0· 96·0 current·0 all-time
by@smile618
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code: scripts/run-recording.mjs drives a browser via CDP, uses puppeteer-core and a screen-recorder to produce MP4s in a workspace media/ directory. The example plan and plan schema align with the stated purpose.
Instruction Scope
The SKILL.md and code instruct the agent to build a plan and run node scripts/run-recording.mjs; that runner supports a variety of step types including an 'evaluate' step that executes arbitrary page-side JavaScript (new Function(...)() executed in page context). 'evaluate' is useful for in-page fixes (e.g., change form.target) but it also allows arbitrary DOM access and network activity from the visited page—this is expected for interactive recording but increases risk if the recorded site or generated plan is untrusted.
Install Mechanism
There is no formal install spec (instruction-only), which is low-risk, but package.json declares dependencies (puppeteer-core and puppeteer-screen-recorder). Consumers will need to ensure Node and these packages (and ffmpeg for recording) are available; no external arbitrary downloads or obscure URLs are used in the repository.
!
Credentials
The skill metadata declares no required env vars, but the code reads environment variables at runtime: OPENCLAW_CDP_URL (CDP endpoint), OPENCLAW_WORKSPACE (workspace root used to compute media/), and FFMPEG_PATH (optional ffmpeg location). These are not secrets per se and are proportionate to functionality, but the SKILL.md did not enumerate them — the agent will rely on them if present, and they affect where outputs are written and which browser endpoint is used.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It doesn't modify other skills or global agent settings. Autonomous invocation is allowed (platform default), which is expected for this kind of tool.
What to consider before installing
This skill appears to implement a browser recording tool as described, but review these before installing: - Make sure you run it where Node dependencies are installed (puppeteer-core and puppeteer-screen-recorder) and ffmpeg is available or FFMPEG_PATH set. The package.json lists these dependencies but there is no automatic install spec. - The runner reads OPENCLAW_CDP_URL (to connect to a browser), OPENCLAW_WORKSPACE (to locate the media/ directory), and FFMPEG_PATH — these env vars are not listed in the skill metadata; set them intentionally and ensure media/ is a safe writable location. - Plans may include 'evaluate' steps that run arbitrary JavaScript in the context of visited pages. That is required for some interactions but can read DOM data or make network requests from the page origin. Do not record pages that contain sensitive personal or secret information unless you trust the plan and the recording environment. - If you will run this in an automated or shared environment, verify the OpenClaw browser instance and workspace are isolated from sensitive sites/data. If you want to proceed: ensure a local OpenClaw-compatible browser is listening (CDP URL), install Node deps, confirm ffmpeg is installed (or set FFMPEG_PATH), and inspect any generated plan before running it.
scripts/run-recording.mjs:183
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk971hay1y438ae368vqs05w4cx83knp1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments