Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Agent Browser
v0.1.0Browser automation CLI for AI agents. Use when the user needs to interact with websites, including navigating pages, filling forms, clicking buttons, taking...
⭐ 0· 62·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (browser automation) matches the included commands and templates, but the skill's metadata declares no required env vars or credentials while the instructions and templates repeatedly reference sensitive variables and state files (APP_USERNAME, APP_PASSWORD, AGENT_BROWSER_ENCRYPTION_KEY, HTTP_PROXY, session/state files). That mismatch between declared requirements and actual usage is incoherent and deserves scrutiny.
Instruction Scope
SKILL.md and reference docs instruct the agent to import browser state from a running Chrome instance via remote debugging, save and load plaintext session state files, evaluate arbitrary JavaScript in-page (eval --stdin / --base64), and use proxies (including authenticated proxies). Those actions give the skill access to all session tokens/cookies and allow arbitrary page-level code execution — expected for a browser tool but high-sensitivity and not reflected in the manifest. The instructions also reference environment variables and files that are not declared in requires.env.
Install Mechanism
No install spec is provided (instruction-only skill plus templates). Nothing is downloaded or written by an installer step. The risk from installation is low, but runtime behaviors (saving state files, connecting to local Chrome) determine the actual surface.
Credentials
The skill's metadata lists no required environment variables, yet the docs/templates expect and instruct the use of APP_USERNAME, APP_PASSWORD, AGENT_BROWSER_ENCRYPTION_KEY, HTTP_PROXY/HTTPS_PROXY/ALL_PROXY, and possibly other secrets. State files containing session tokens are explicitly described as plaintext unless an encryption key is set. This is a material mismatch: sensitive env vars and files are used but not declared or scoped in the registry metadata.
Persistence & Privilege
The skill does not request always:true, which is good, but its runtime guidance encourages persisting profiles/sessions (~/.agent-browser/sessions/, --profile directories, state save/load). Combined with autonomous invocation (normal default), the ability to import a running Chrome session via --auto-connect (--remote-debugging-port) can expose all logged-in accounts on the host to the agent. This persistence and access model elevates risk and should be clearly disclosed and restricted.
What to consider before installing
Before installing or using this skill, consider that: 1) the documentation instructs the agent to import and reuse browser sessions and save state files that can contain session tokens in plaintext — treat those files like passwords (encrypt them, .gitignore, delete when done). 2) The skill's metadata does not declare the env vars the templates use (APP_USERNAME, APP_PASSWORD, AGENT_BROWSER_ENCRYPTION_KEY, proxy creds). That mismatch means you should not assume the registry metadata fully describes the skill's sensitive requirements. 3) Using --auto-connect / Chrome --remote-debugging-port exposes full browser control to local processes — do not connect to a browser where you are logged into sensitive accounts. Prefer ephemeral profiles or the provided auth vault pattern rather than importing an already-authenticated browser. 4) If you need to run this, run it in a restricted environment (dedicated testing user/profile or VM/container), avoid connecting to your personal browser, set an encryption key for saved state, and delete state files after use. 5) Ask the publisher (or request updated metadata) to: declare required env vars/primary credential, document exactly where state is stored, and confirm whether the skill transmits any saved state off-host. Those clarifications would change this assessment to less suspicious.Like a lobster shell, security has layers — review code before you run it.
latestvk972jybvccj5w2vstx66epj8hx83dbve
License
MIT-0
Free to use, modify, and redistribute. No attribution required.