ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

chrome-relay-browser

通过 Chrome Extension relay 控制浏览器。用于控制用户已在 Chrome 中打开并 attach 的标签页,无需启动新浏览器,用户可直接看到操作界面。触发条件:(1) 用户让我操作浏览器 (2) 需要复用用户已打开的页面 (3) 需要截图/填表/点击等操作

MIT-0 · Free to use, modify, and redistribute. No attribution required.
2 · 251 · 0 current installs · 0 all-time installs
by@zaviwayne
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, the SKILL.md, and scripts/ctl.js consistently implement control of an already-attached Chrome tab via a local relay. The required env vars (RELAY_TOKEN, RELAY_PORT) and the secrets path map directly to the relay/gateway model described.
Instruction Scope
Runtime instructions limit actions to connecting to a local relay, issuing Chrome DevTools Protocol commands (navigate, screenshot, evaluate, click, fill, etc.), and reading the declared secrets file. They do not instruct reading unrelated system files or contacting remote hosts beyond localhost.
Install Mechanism
No install spec (instruction-only) reduces installation risk. However, the included script requires Node.js and the 'ws' npm module, but the skill metadata does not declare Node or any required binaries/dependencies or provide installation steps for npm packages — an operational omission that may confuse users or lead to failed runs.
Credentials
Only RELAY_TOKEN and RELAY_PORT (plus the config file path) are required and those are proportional to a relay-based browser-control capability. No unrelated credentials or broad environment access are requested.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide configs. It only reads its own secrets file and uses local HTTP/WebSocket connections; it does not persist additional system-wide privileges.
Assessment
This skill appears to do what it says: control an already-attached Chrome tab via a local relay. Before installing, verify the Chrome extension and gateway you will use are from a trusted source (inspect their code if possible). Ensure Node.js is installed and the script's npm dependency ('ws') is installed (the SKILL.md does not declare this). Protect the secrets file (~/.openclaw/secrets/browser-relay.env) — anyone with RELAY_TOKEN and access to the relay port can control attached pages. Avoid attaching the relay to sensitive sites (banks, password managers) and consider rotating the token after use. If you need higher assurance, request an explicit install/packaging spec and dependency list from the skill author or review the extension/gateway source code and network exposure to ensure the relay is strictly local.
scripts/ctl.js:10
Environment variable access combined with network send.
!
scripts/ctl.js:15
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1
Download zip
latestvk978zjvr5kfrhzvh7bq3g5ayy183e1r8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌐 Clawdis
EnvRELAY_TOKEN, RELAY_PORT
Config~/.openclaw/secrets/browser-relay.env

SKILL.md

chrome-relay-browser

通过 Chrome Extension relay 控制已 attach 的浏览器标签页。

前置条件

  1. 配置 openclaw.json(确保 browser 部分已配置):

    "browser": {
  "enabled": true,
  "defaultProfile": "chrome-relay",
  "attachOnly": true
}

  2. 安装 Chrome 扩展

    openclaw browser extension install
openclaw browser extension path  # 获取安装路径

    然后在 Chrome 中加载:打开 chrome://extensions,开启开发者模式,加载上述路径

  3. 配置扩展(安装后需配置一次):

    • 点击扩展图标 → 设置
    • Relay port: 从 ~/.openclaw/secrets/browser-relay.env 读取 RELAY_PORT
    • Gateway token: 从 ~/.openclaw/secrets/browser-relay.env 读取 RELAY_TOKEN

  4. Attach 标签页

    • 在 Chrome 打开任意页面
    • 点击扩展图标 attach

使用方法

运行 scripts/ctl.js 控制浏览器:

cd ~/.openclaw/workspace/skills/chrome-relay-browser/scripts
node ctl.js <command> [args]

可用命令

命令说明示例
navigate <url>打开 URLnode ctl.js navigate https://baidu.com
screenshot [path]截图node ctl.js screenshot /tmp/abc.png
title获取页面标题node ctl.js title
url获取当前 URLnode ctl.js url
evaluate <js>执行 JSnode ctl.js evaluate "document.title"

配置

Token 和 Port 存储在 ~/.openclaw/secrets/browser-relay.env,脚本自动读取:

  • RELAY_TOKEN - Gateway token
  • RELAY_PORT - Relay 端口号

故障排除

  • Unauthorized: 检查扩展设置的 Gateway token 是否与 secrets 中的 RELAY_TOKEN 一致
  • No tabs: 提醒用户先在 Chrome 中 attach 标签页
  • Connection refused: 重启 Gateway 或检查 RELAY_PORT 配置

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…