Back to skill

Security audit

chrome-relay-browser

Security checks across malware telemetry and agentic risk

Overview

This browser-control skill is coherent, but it needs Review because it can run arbitrary JavaScript inside a user-attached Chrome tab with live session access.

Install only if you intentionally want agents to control Chrome tabs you manually attach. Keep the relay token private, attach only the specific tab needed, avoid sensitive logged-in pages unless necessary, and require explicit confirmation before JavaScript evaluation, form fills, purchases, submissions, account changes, or other irreversible actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill requires sensitive environment/config inputs (`RELAY_TOKEN`, `RELAY_PORT`, and a secrets file) but does not declare clear permissions or guardrails around their use. That mismatch increases the chance the skill can access credentials or privileged browser-control capabilities without adequate user awareness or policy enforcement.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill exposes an `evaluate <js>` command that forwards arbitrary JavaScript directly into the attached Chrome tab via `Runtime.evaluate`. Because this skill operates on a user’s already-open browser context, injected code can read page DOM, scrape sensitive data, trigger authenticated actions, and bypass the narrower browser-control use case described in the manifest.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger conditions are very broad and can activate for common browser-help tasks, which risks invoking a highly privileged browser-control skill in situations where a less dangerous tool would suffice. In context, this skill operates on the user's already attached Chrome tabs, so over-triggering can expose live sessions, authenticated pages, and in-browser data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill exposes an `evaluate <js>` command that executes arbitrary JavaScript in the user's attached browser tab, but the description does not clearly warn users about this capability. This is dangerous because injected JS can read page content, interact with authenticated sessions, extract sensitive data from the DOM, and perform actions as the user in already logged-in sites.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The script silently reads a relay authentication token from a local secrets file and uses it to control the browser relay without any user-facing disclosure or consent flow. In a skill that can manipulate an attached live browser session, hidden credential use increases the chance of unauthorized browser access and reduces transparency for sensitive operations.

Missing User Warnings

High
Confidence
98% confidence
Finding
This path executes browser-side JavaScript assembled from raw command-line input with no validation, warning, or confirmation. In the context of an attached user browser tab, that enables arbitrary code execution against authenticated pages, allowing data theft, DOM manipulation, or illicit transactions on behalf of the user.

Credential Access

High
Category
Privilege Escalation
Content
---
name: chrome-relay-browser
description: 通过 Chrome Extension relay 控制浏览器。用于控制用户已在 Chrome 中打开并 attach 的标签页,无需启动新浏览器,用户可直接看到操作界面。触发条件:(1) 用户让我操作浏览器 (2) 需要复用用户已打开的页面 (3) 需要截图/填表/点击等操作
metadata: {"openclaw":{"emoji":"🌐","requires":{"env":["RELAY_TOKEN","RELAY_PORT"],"config":["~/.openclaw/secrets/browser-relay.env"]}}}
---

# chrome-relay-browser
Confidence
87% confidence
Finding
.env"

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.potential_exfiltration

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/ctl.js:10

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
scripts/ctl.js:15