Back to skill
Skillv2.0.0
ClawScan security
Browser Devtools · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 17, 2026, 7:07 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with its stated purpose (a small local CLI wrapper around Chrome Dev Editor), requests no credentials, has no install step, and contains only simple local file I/O; it appears to be a lightweight, mostly stubbed utility rather than malware.
- Guidance
- This skill appears coherent and low-risk: it does not request credentials, does not perform network I/O, and only writes logs/data under a user data directory (~/.local/share/browser-devtools by default). Two notes: (1) the implementation is mostly a stub (the run command is unimplemented), so expect limited functionality; (2) if you plan to run it, inspect the scripts yourself and note where data is stored. If you are concerned about any write activity, run it in a restricted or disposable account/environment.
Review Dimensions
- Purpose & Capability
- noteThe name/description claim a Chrome Dev Editor developer tool. The included scripts and SKILL.md are coherent with that goal (a CLI named browser-devtools / chromedeveditor). However, the implementation is mostly a lightweight stub: scripts explicitly echo 'TODO: Implement main functionality' and provide simple local data/log management rather than a full-fledged devtool. This is not dangerous but is an overstatement of capability.
- Instruction Scope
- okSKILL.md only instructs running the CLI commands (help/run/info/status). The instructions do not ask the agent to read unrelated files, access external endpoints, or exfiltrate data. The runtime guidance is limited and scoped to the tool's commands and stdout.
- Install Mechanism
- okNo install specification is provided (instruction-only). Two small shell scripts are included in the repo; there is no network install, no archive extraction, and no external package fetch — low-risk.
- Credentials
- okThe skill declares no required environment variables or credentials. The scripts do create and write to a data directory under $BROWSER_DEVTOOLS_DIR or $XDG_DATA_HOME or $HOME/.local/share/browser-devtools, which is proportionate for a local CLI utility that stores data/logs.
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills or system-wide configuration, and only writes files under the user's data directory. This is normal for a local CLI tool.