ClawAudit verdict
open-browser
Browser automation skill that delegates tasks to a local OpenBrowser agent via documented scripts; network access is inherent to browser automation and all behavior matches the stated purpose.
โ Flagged for review โ coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.
Automated static analysis โ not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.
Permission integrity
package_install
Findings (5)
Instruction-prose smuggling shape detected: collects a sensitive target ("API key") and emits it outward ("Paste"). Phrased as prose with no trigger tokens โ a semantic prompt-injection / data-exfil pattern the syntactic scanners can't see. Final tier capped at Caution; review the instructions before installing.
SKILL.md ยท | Step | Action | Where | |------|--------|-------| | 1 | Load extension | `chrome://extensions/` โ Developer mode โ Load unpacked โ `extension/dist` | | 2 | Co
Opens WebSocket connection
references/api_reference.md ยท code ยท websocket
HTTP request to bare IP address โ common in malicious payloads
references/api_reference.md ยท prose ยท downgraded ยท http://127.0.0.1
Python urllib.request โ network access
scripts/check_status.py ยท prose ยท downgraded ยท urllib.request
Python os.environ.get โ reads environment variable
scripts/check_status.py ยท prose ยท downgraded ยท os.environ.get(
Why the tier is capped
Execution sink present in raw bytes (Hard Floor: class D). Final tier capped at Caution โ cannot be lifted by any downgrade, example-payload opt-in, or allowlist.
Permissions & capabilities
No declared permissions โ minimal attack surface.
network_inpackage_install Is this flag fair?
Thanks โ recorded.