Oc Browser Automation 1.0.0
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent browser-automation skill, but it can operate through logged-in browser profiles and perform real website actions, so it warrants review before use.
This skill is not shown to contain malicious code, but it gives an agent powerful browser-control instructions. Prefer a separate sandbox browser profile, avoid using your personal Chrome profile unless you explicitly intend it, and confirm any action that submits data, changes an account, uploads files, downloads sensitive content, or captures logged-in pages.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with a live browser profile, the agent may act as the user on logged-in websites and expose account state.
The skill explicitly allows use of the user's Chrome profile and acknowledges that browser state may include login sessions, but does not bound which accounts/sessions are used or require confirmation before account-affecting actions.
profile | string | 浏览器配置:openclaw (默认) / chrome (使用你的 Chrome) ... 浏览器可能包含登录会话,请勿分享浏览器状态
Use a sandbox or separate browser profile by default, and require explicit user confirmation before switching to Chrome/live sessions or submitting forms, clicking account actions, uploading files, or downloading sensitive data.
Mistaken or over-broad automation could submit forms, change website data, upload a chosen file, or download content unintentionally.
The skill exposes broad browser-control operations, including clicks, typing, file upload/download, and page evaluation. These are purpose-aligned for browser automation but can affect real websites.
**点击** | 点击页面元素 ... **输入** | 在输入框中输入文本 ... **文件上传** | 上传文件到网页 ... **下载** | 从网页下载文件 ... kind ... click, type, press, hover, scroll, select, drag, fill, evaluate
Keep browser actions user-directed and confirm before submissions, purchases, account changes, uploads/downloads, or evaluate-style actions.
Sensitive webpage content, account details, or request information could be exposed to the conversation if captured while logged in.
Screenshots, DOM snapshots, console output, and network request views can bring page contents and session-related information into the agent context.
**截图** | 页面截图或全页截图 ... **快照** | 获取页面 DOM 快照 ... browser action=console ... browser action=requests filter="api"
Avoid capturing sensitive pages unless necessary, use a non-sensitive browser profile, and do not share screenshots/snapshots from logged-in sessions.
It may be harder to verify the publisher or provenance of the skill.
The included _meta.json owner/slug differ from the supplied registry metadata, and the package lists no source or homepage. Because this is instruction-only with no code, this is a provenance note rather than a standalone concern.
"ownerId": "kn79r8786yeqppanzfekfv7kqx82kcga", "slug": "oc-browser-automation"
Install only if you trust the publisher, and prefer packages with consistent metadata and a verifiable source or homepage.