Skillv0.1.0

ClawScan security

AgentGo Cloud Browser · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 7, 2026, 9:57 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill’s instructions match a cloud Playwright browser integration, but its metadata omits the required AGENTGO_API_KEY and it includes detailed anti-detection and cookie-injection techniques that increase abuse risk — the pieces are coherent functionally but there are notable mismatches and sensitive practices you should review before installing.
Guidance: This skill appears to implement what it claims (cloud Playwright automation) but there are red flags you should consider before installing: - AGENTGO_API_KEY is required by the examples but is not declared in the skill metadata. Confirm with the publisher that the skill will request this credential and understand how/where you must provide it. - The references include explicit anti-detection techniques and instructions for extracting/injecting session cookies (e.g., X/Twitter auth_token and ct0). These are powerful and can be abused; never provide cookies or API keys for accounts you do not own, and avoid automating actions that violate a service's terms of use. - Trust the remote endpoint (wss://app.browsers.live and https://app.agentgo.live). Using this skill will route browsing through a third-party cloud provider — review their privacy/security policy and understand what data may be logged or visible to them (page URLs, contents, session cookies, screenshots, etc.). - Use least-privilege: create and use dedicated/test accounts and limited-scope API keys if possible. Do not store API keys or cookies in source control; follow the skill's own advice to keep them out of VCS and use secure storage. - Because the SKILL.md pins an exact Playwright version (1.51.0), run the automation in an isolated environment (container or VM) to avoid dependency conflicts and to limit impact if credentials are leaked. If you plan to proceed, ask the skill publisher to update the metadata to declare AGENTGO_API_KEY as a required credential and to document how cookies/credentials should be handled safely. If you need this skill to act autonomously, consider the additional risk that the automation could perform high-impact actions using the provided cookies/API key.

Review Dimensions

Purpose & Capability: concernThe SKILL.md content, reference files, and examples are consistent with the stated purpose (connecting to AgentGo via Playwright to automate browsers). However the registry metadata lists no required environment variables while the runtime instructions repeatedly require process.env.AGENTGO_API_KEY; this metadata/instruction mismatch is an incoherence that could lead to accidental misconfiguration or missing security controls. Also the skill teaches cookie injection and anti-detection tactics — technically within the automation purpose but sensitive in consequence.
Instruction Scope: noteInstructions stay within browser automation scope (connect to wss://app.browsers.live, use Playwright APIs, manage sessions). They also include explicit anti-detection strategies (mobile emulation, human-like typing, simulated scrolling) and step-by-step instructions for extracting and injecting session cookies (e.g., for X/Twitter). Those behaviors are coherent for a tool designed to automate human-like interactions, but they are powerful and can enable actions that bypass site protections or operate on someone else's account if cookies/credentials are mishandled.
Install Mechanism: okThis is an instruction-only skill (no install spec). It tells users to install a specific package (playwright@1.51.0). No arbitrary download URLs or extract steps are present. The requirement to use an exact older Playwright version is fragile and worth noting, but not an install-security red flag by itself.
Credentials: concernThe runtime examples and helpers require AGENTGO_API_KEY (read from process.env), and the docs instruct storing session cookies locally (or in env/config). Yet the skill metadata declares no required environment variables or primary credential. This mismatch is concerning because sensitive credentials (API key and session cookies) are needed to operate and they are not documented in the metadata that the platform uses to surface permissions. The skill also instructs reading local config files (e.g., x_config.json), which involves handling secrets outside the declared requirements.
Persistence & Privilege: okThe skill does not request elevated platform privileges: always:false, no OS restrictions, and it does not describe modifying other skills or system-wide config. There is no evidence it attempts to persist beyond its normal use.