Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Super Browser
v0.0.2Browser automation through the published `@pzeda/super-browser` package and its `super-browser` CLI against a real local Chrome session. Use when the task ne...
⭐ 0· 15·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name and description match the instructions: the skill directs the agent to use the @pzeda/super-browser npm package/CLI to automate a local Chrome session (CDP on port 9222). The declared binary requirements (node, npm) and Chrome/Chromium dependency are appropriate and expected.
Instruction Scope
Instructions are scoped to browser automation tasks and include sensible CLI commands and diagnostics. They explicitly recommend reusing the user's logged-in Chrome session and exposing CDP on port 9222 — this is required for some automation use cases but is a sensitive capability (cookies, auth tokens, extensions, session data accessible via the debugging protocol). The SKILL.md does not instruct reading unrelated files or environment variables.
Install Mechanism
The SKILL.md tells the user to run `npm install -g @pzeda/super-browser` or to use `npx`. Installing an npm package from the public registry is an expected way to get a CLI, but it carries moderate risk because install-time and runtime scripts in the package can execute arbitrary code. No install spec or integrity checks are provided in the skill content.
Credentials
The skill does not request environment variables or external credentials, which is proportionate. However, the required capability to connect to a local Chrome debugging endpoint and reuse an existing Chrome login session implicitly gives the CLI access to sensitive browser state (cookies, stored tokens, autofill data). That sensitivity is inherent to the stated purpose but should be explicitly acknowledged by a user.
Persistence & Privilege
The skill is not always-enabled and does not request persistent platform privileges. It is instruction-only and does not attempt to modify other skills or system-wide agent settings.
Assessment
This skill appears to do what it claims, but installing and running a third-party npm CLI and connecting it to your real Chrome session can expose sensitive data. Before using it: (1) review the npm package page and source repository for @pzeda/super-browser and confirm the author and recent activity; (2) prefer `npx` or a local (non-global) install to avoid modifying global state; (3) run the package in an isolated environment (separate user/profile, VM, or container) if possible; (4) avoid pointing it at your primary Chrome profile — either launch Chrome with a dedicated profile or deny remote debugging access to profiles with sensitive logins; (5) restrict CDP to localhost and do not open port 9222 to the network; (6) inspect package install scripts and runtime behavior (or request checksums/signatures) if you must install globally. If you cannot audit the package, treat it as untrusted software and limit its access accordingly.Like a lobster shell, security has layers — review code before you run it.
latestvk97dw8yb038cdqgf4ae6mz5t2x84agec
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnode, npm