← Back to Skills Marketplace
kelvinschen

remote-chrome

by kelvinschen · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
266
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install remote-chrome
Description
Launch, stop, restart, or check the status of a remote Chrome browser service using Xvfb, x11vnc, and noVNC. Use this whenever the user wants to start a head...
Usage Guidance
This skill appears to implement what it claims (start/stop/status a remote Chrome with VNC/noVNC), but there are a few practical risks and a metadata mismatch you should be aware of: 1) Metadata mismatch: The registry entry declares no required binaries, but the scripts require system packages (Xvfb, x11vnc, noVNC/websockify, Chromium/Chrome, openssl). Install those before running or the start script will fail. The omission in metadata is a sign of sloppy packaging — verify dependencies yourself. 2) VNC password handling: The start script writes the auto-generated VNC password to /tmp/remote-chrome-vnc-password.txt (chmod 600) and the status script constructs a noVNC URL that includes the password in the query string. Embedding the password in URLs risks exposure via browser history, server logs, proxy logs, or Referer headers. Prefer not to expose the service to the public internet; use SSH port forwarding, restrict firewall access, or modify the scripts to avoid placing the password in URLs. 3) Network exposure: The scripts open VNC, noVNC, and Chrome debug ports. Before running, confirm whether Chrome's remote-debugging binds to localhost only (safer) or to all interfaces. If these services are reachable externally, an attacker could access the remote browser and data. Run in a trusted, isolated environment (VM/container) or behind a firewall. 4) Least privilege: Run the scripts as a non-root user. Inspect the scripts before running to ensure no unexpected commands are present (the provided files look benign). If you will expose this on a LAN, consider adding authentication or TLS in front of noVNC/websockify. 5) Quick checks before install: manually verify presence of required binaries (which Xvfb x11vnc websockify chromium openssl), ensure /tmp file lifecycle suits your security posture, and consider editing the script to avoid including passwords in URLs. If you want, I can: (a) list the exact commands the scripts will run to help auditing, (b) suggest a small patch to avoid embedding the password in the URL, or (c) produce a hardened checklist to run this safely (firewall rules, systemd unit, user permissions).
Capability Analysis
Type: OpenClaw Skill Name: remote-chrome Version: 1.0.0 The skill bundle contains multiple shell injection vulnerabilities in 'start-remote-chrome.sh' and 'status-remote-chrome.sh' because command-line arguments (e.g., --vnc-port, --screen-size) are passed directly into shell commands without sanitization. While the tool's purpose of providing remote VNC access to Chrome is clearly documented and lacks evidence of intentional malice, these vulnerabilities could be exploited via prompt injection to achieve remote code execution on the host system.
Capability Assessment
Purpose & Capability
The skill description and scripts align: they start/stop/status a Chrome instance via Xvfb, x11vnc, and noVNC. However the registry metadata lists no required binaries or environment variables, while the scripts clearly require Xvfb, x11vnc, websockify/noVNC, Chromium/Chrome, and openssl. That metadata omission is an incoherence (the skill will fail without system packages).
Instruction Scope
SKILL.md and the scripts are scoped to managing local services and querying the local Chrome debug endpoint. They read /proc to discover processes and store the generated VNC password in /tmp/remote-chrome-vnc-password.txt for status reporting. The scripts do not appear to contact remote endpoints for control, but the status/start scripts expose the VNC password in a web URL query parameter which can leak via logs or Referer headers.
Install Mechanism
This is an instruction-only skill with included shell scripts (no automated remote install). There is no installer that downloads and executes arbitrary code. The included installation guidance references official package managers and an official Google Chrome download URL; that is expected and lower risk than arbitrary remote downloads.
Credentials
The skill declares no required environment variables or credentials (which is accurate for API keys), but the scripts respect proxy environment variables and create a local VNC password file in /tmp. Storing the password in /tmp and embedding it in the web URL increases the chance of accidental exposure. No unrelated cloud credentials are requested (no over-broad secret access).
Persistence & Privilege
The skill does not request permanent agent-wide presence (always:false) and does not attempt to modify other skills or system-wide agent settings. It runs local processes and writes temporary files under /tmp, which is consistent with its purpose.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install remote-chrome
  3. After installation, invoke the skill by name or use /remote-chrome
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of remote-chrome skill. - Launch, stop, restart, and check status of a remote Chrome browser service with Xvfb, x11vnc, and noVNC. - Provides web-based (noVNC) and direct VNC access to a full Chrome GUI remotely. - Start script auto-checks dependencies and provides install guidance. - Includes flexible options: custom ports, screen resolution, proxy support, and verbose mode. - Integration instructions provided for use with agent-browser skill.
Metadata
Slug remote-chrome
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is remote-chrome?

Launch, stop, restart, or check the status of a remote Chrome browser service using Xvfb, x11vnc, and noVNC. Use this whenever the user wants to start a head... It is an AI Agent Skill for Claude Code / OpenClaw, with 266 downloads so far.

How do I install remote-chrome?

Run "/install remote-chrome" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is remote-chrome free?

Yes, remote-chrome is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does remote-chrome support?

remote-chrome is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created remote-chrome?

It is built and maintained by kelvinschen (@kelvinschen); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments