Skillv0.1.0

ClawScan security

Baoyu Danger Gemini Web · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 4, 2026, 1:46 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The code and instructions match a reverse‑engineered Gemini Web client, but it reads/writes browser cookies and Chrome profile data (sensitive) while the registry metadata does not declare those requirements — proceed only after reviewing and isolating it.
Guidance: This skill contains a full TypeScript client that reverse‑engineers the Gemini Web endpoints and authenticates by reading Google browser cookies (__Secure-1PSID / __Secure-1PSIDTS) via Chrome/CDP and writing cookie files. That behavior is coherent with its goal but is sensitive: browser cookies can be used to impersonate your account. The registry metadata did not declare these config/permission needs, which is a red flag. Before installing: - Inspect scripts/main.ts and the cookie-loading code yourself (or have someone you trust do so). - Do NOT run it against your primary Chrome profile. Set GEMINI_WEB_CHROME_PROFILE_DIR to a disposable profile or test VM/container. - Be aware it will spawn Chrome and open an authentication window; it will write consent and cookie files under your home dir. - Consider legal/TOS implications: reverse‑engineered access to Google endpoints may violate the provider terms and could stop working. - If you cannot review the source, avoid granting it access to real browser cookies or personal accounts; prefer official APIs with explicit credentials instead.

Review Dimensions

Purpose & Capability: noteThe name/description (reverse‑engineered Gemini Web API for text/image generation) align with the included TypeScript client and CLI. However the skill requires access to browser cookies and Chrome profile directories to authenticate (via __Secure-1PSID / __Secure-1PSIDTS), which is not advertised in the registry metadata (no required config paths or credentials listed).
Instruction Scope: concernSKILL.md and the code instruct the agent to read/write files under the user's home (consent.json, EXTEND.md, cached cookie files), spawn Chrome (via child_process) and use the Chrome remote debugging/CDP to extract cookies, and then call gemini.google.com and related Google endpoints. Those actions access highly sensitive local browser state (cookies) and will download/run runtime tooling (npx -y bun). This scope goes beyond a simple 'generate image' description and could expose sensitive credentials if misused.
Install Mechanism: noteThere is no formal install spec (instruction-only), which lowers installer risk. However usage examples run 'npx -y bun scripts/main.ts' which will fetch/execute a runtime (bun) at runtime. The included code itself will be executed by the agent. No arbitrary remote archives or unknown URLs are used in an install step, but 'npx -y bun' implies downloading an executable to run the TypeScript.
Credentials: concernThe skill reads browser cookies, can launch Chrome with a new user-data-dir, and writes cookie files and consent files under user directories. Those are high‑sensitivity operations (cookie tokens) that are not reflected in the declared metadata (no required env vars or config paths). Optional env vars exist (GEMINI_WEB_CHROME_PATH, GEMINI_WEB_CHROME_PROFILE_DIR, GEMINI_WEB_COOKIE_PATH) but requesting access to local browser cookies is a substantial privilege and should be explicitly declared and consented to.
Persistence & Privilege: okThe skill does not request 'always: true' and does not modify other skills. It writes local files (consent, cookie cache, sessions) under its own data directory; this is expected for a client that caches auth. No evidence it alters system-wide agent configuration or other skills.