← Back to Skills Marketplace
149
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install xiaopi-chrome-devtools
Description
Uses Chrome DevTools via MCP for efficient debugging, troubleshooting and browser automation. Use when debugging web pages, automating browser interactions,...
Usage Guidance
This skill appears to do what it says (drive Chrome via MCP) but has a few red flags you should weigh before installing:
- It runs `npx chrome-devtools-mcp@latest` at runtime. That fetches and executes the latest code from npm each time — prefer pinned, reviewed package versions and inspect the package source before running.
- It launches Chrome with sandboxing disabled (`--no-sandbox`, `--disable-setuid-sandbox`), which weakens process isolation. Run this only in an isolated environment (container, VM) you control.
- It uses a 'persistent Chrome profile', which can grant access to cookies, sessions, history, and other sensitive browser data. Confirm whether the skill will use an isolated profile or your default profile.
- Owner/metadata mismatch: the top-level registry ownerId differs from _meta.json ownerId; that can indicate repackaging or inconsistent metadata — verify the publisher identity and source repository.
Recommendations before installing:
- Ask the publisher for the package repository and a pinned version (not `@latest`) and review the package contents.
- Run the skill in an isolated environment (temporary Chrome profile, container/VM) rather than on a machine with sensitive browser data.
- Prefer a release hosted on a known repository or pinned to a specific commit/release.
- If you cannot validate the npm package or publisher, do not install on hosts with sensitive data or credentials.
Capability Analysis
Type: OpenClaw Skill
Name: xiaopi-chrome-devtools
Version: 1.0.0
The skill configuration in skill.json disables the Chrome security sandbox using the --no-sandbox and --disable-setuid-sandbox flags, which is a significant security vulnerability. Additionally, it uses npx chrome-devtools-mcp@latest to execute unpinned remote code, introducing a supply chain risk. While these patterns are sometimes used in specific automation environments, they represent high-risk behaviors according to security best practices.
Capability Assessment
Purpose & Capability
The SKILL.md describes using chrome-devtools-mcp to control Chrome and skill.json invokes `npx chrome-devtools-mcp@latest` with Chrome args. The requested capabilities align with the stated purpose of browser debugging/automation.
Instruction Scope
Instructions reference a 'persistent Chrome profile' (which can expose cookies, history, local storage) and recommend writing large outputs to file paths. The SKILL.md does not request credentials, but operating on a persistent profile means the tool may access sensitive browser data. The runtime guidance to use filePath for large outputs implies the agent will write/read files from disk.
Install Mechanism
skill.json executes `npx -y chrome-devtools-mcp@latest`, which downloads and runs the latest package from the npm registry at runtime. Running dynamically fetched code is a moderate-to-high risk compared with a pinned, reviewed release. Additionally, the provided Chrome args include `--no-sandbox` and `--disable-setuid-sandbox`, which reduce process isolation and increase attack surface.
Credentials
The skill declares no required environment variables or external credentials (good). However, the use of a persistent Chrome profile effectively grants the skill access to browser-stored secrets (cookies, sessions), which is not reflected in the declared requirements and should be considered sensitive.
Persistence & Privilege
The skill does not request always: true and is user-invocable (normal). It will execute remote code via npx and may write package artifacts and profile data to disk; autonomous invocation is allowed by default, which increases blast radius when combined with npx/@latest and sandbox disablement.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install xiaopi-chrome-devtools - After installation, invoke the skill by name or use
/xiaopi-chrome-devtools - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
chrome-devtools 1.0.0 initial release
- Introduces integration with Chrome DevTools via MCP for browser debugging, troubleshooting, and automation.
- Supports persistent Chrome profiles and configurable browser lifecycle via CLI arguments.
- Enables page selection, structured element interaction using unique uids, and efficient data retrieval options.
- Documents recommended workflow for navigation, waiting, snapshotting, and element interaction.
- Highlights parallel tool call support and troubleshooting resources for setup and UI issues.
Metadata
Frequently Asked Questions
What is Xiaopi Chrome Devtools?
Uses Chrome DevTools via MCP for efficient debugging, troubleshooting and browser automation. Use when debugging web pages, automating browser interactions,... It is an AI Agent Skill for Claude Code / OpenClaw, with 149 downloads so far.
How do I install Xiaopi Chrome Devtools?
Run "/install xiaopi-chrome-devtools" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Xiaopi Chrome Devtools free?
Yes, Xiaopi Chrome Devtools is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Xiaopi Chrome Devtools support?
Xiaopi Chrome Devtools is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Xiaopi Chrome Devtools?
It is built and maintained by Adin (@a-din); the current version is v1.0.0.
More Skills