ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

browser-toggle

v1.0.1

Enable or disable the OpenClaw built-in browser with one command, featuring auto backup, recovery, and cross-platform support.

0· 381·1 current·1 all-time
by@yoo-unison
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match behavior: code and scripts only read/write OpenClaw config (~/.openclaw/openclaw.json), manage backups (~/.openclaw/workspace/backups), and provide enable/disable/status/headless controls. No unrelated binaries, env vars, or credentials are requested.
Instruction Scope
SKILL.md and install scripts instruct running setup/install which copy files into the user's OpenClaw workspace and invoke browser_toggle.py to modify openclaw.json. This is appropriate for the purpose, but note the skill writes to the user's OpenClaw config and creates backups — review those files before installing if you don't trust the source.
Install Mechanism
No remote downloads or archive extraction occur in the provided install scripts; setup.sh and install.sh copy local files into the ~/.openclaw workspace and optionally create a symlink. Build script creates local tarball; README references GitHub releases but install scripts do not fetch external content.
Credentials
No environment variables, credentials, or external tokens are required. The code accesses only the OpenClaw config and user home paths, which are necessary for the skill's stated function.
Persistence & Privilege
The skill installs into the user's OpenClaw workspace and may create a global symlink (/usr/local/bin/openclaw-browser) if permissions allow. It does not set always:true or request persistent elevated privileges, but creating a global command requires writable /usr/local/bin (sudo) — avoid granting that unless you trust the package.
Assessment
This skill appears to do what it says: it modifies ~/.openclaw/openclaw.json to enable/disable the built-in browser and keeps backups. Before installing: (1) verify the skill source — files reference GitHub but the registry source/homepage are 'unknown' — prefer an authoritative repository; (2) inspect browser_toggle.py (it is short and readable) and the backup directory to confirm no unexpected behavior; (3) do not allow creation of a global symlink (/usr/local/bin) unless you trust the package (the installer only attempts this if it has permission); (4) if you are unsure, run the code in an isolated environment/VM or manually copy the single script into your OpenClaw skills folder and run it without running setup.sh. The skill does modify your OpenClaw configuration and requires restarting OpenClaw to take effect — back up important data before proceeding.

Like a lobster shell, security has layers — review code before you run it.

automationvk975hxyx3m995dsy4nctf05dp5820fc4browservk975hxyx3m995dsy4nctf05dp5820fc4latestvk97fs52zxbz215csap3b4pq261824y0qopenclawvk975hxyx3m995dsy4nctf05dp5820fc4utilityvk975hxyx3m995dsy4nctf05dp5820fc4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments