ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Thundarr Browser

v1.0.1

Provides real-time web browsing and content extraction by navigating URLs and summarizing page text up to 2000 characters.

0· 47·0 current·0 all-time
by@zrslu01
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The stated purpose (real-time web browsing and summarization) is reasonable for a browser skill. However the SKILL.md explicitly lists a 'browse.py' tool and the package description references 'thundarr-gpu', yet no code files, executables, or install instructions are included. That means the skill as packaged cannot deliver the claimed capability without external components; this is an inconsistency (missing implementation) rather than proof of malicious intent.
!
Instruction Scope
SKILL.md instructs the agent to navigate the web and extract page text (returns first 2000 characters). It does not instruct reading unrelated local files or environment variables. The concern is that the instructions rely on an internal tool (browse.py) that is not present; it's unclear what network endpoints or user data handling policies the absent tool would implement. The instructions are otherwise narrow (no open-ended data collection), but the missing tool leaves behaviour unspecified.
Install Mechanism
There is no install spec and no code is written to disk by the skill itself, which reduces direct supply-chain risk. The lack of an install step is consistent with an instruction-only skill—but combined with references to missing tooling this suggests the package is incomplete.
Credentials
The skill requests no environment variables, credentials, or config paths. That is proportional to a read-only web summarization feature. Nothing in the SKILL.md attempts to access secrets or unrelated system configuration.
Persistence & Privilege
The skill is not marked always:true and uses the platform defaults. It does not request persistent presence or elevated privileges in the agent configuration.
What to consider before installing
This package appears to be an instruction-only browser helper that references a 'browse.py' engine and a 'thundarr-gpu' integration, but no implementation or install instructions are included. Before installing or enabling it: (1) ask the publisher for the missing browse.py source or a link to the homepage/repository; (2) confirm how network requests and page content are fetched and whether any data is logged or sent to third parties; (3) verify version/metadata inconsistencies (registry version 1.0.1 vs _meta.json 1.0.0) and request a signed/reviewable source; (4) if you must try it, limit its invocation and do not grant it broad, unattended access until you can inspect the actual tool implementation. The current package looks incomplete and should be treated with caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk974zggekg0c8a5y31f6zs73s5842myj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments