← 返回 Skills 市场
remote-chrome
作者
kelvinschen
· GitHub ↗
· v1.0.0
· MIT-0
266
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install remote-chrome
功能描述
Launch, stop, restart, or check the status of a remote Chrome browser service using Xvfb, x11vnc, and noVNC. Use this whenever the user wants to start a head...
安全使用建议
This skill appears to implement what it claims (start/stop/status a remote Chrome with VNC/noVNC), but there are a few practical risks and a metadata mismatch you should be aware of:
1) Metadata mismatch: The registry entry declares no required binaries, but the scripts require system packages (Xvfb, x11vnc, noVNC/websockify, Chromium/Chrome, openssl). Install those before running or the start script will fail. The omission in metadata is a sign of sloppy packaging — verify dependencies yourself.
2) VNC password handling: The start script writes the auto-generated VNC password to /tmp/remote-chrome-vnc-password.txt (chmod 600) and the status script constructs a noVNC URL that includes the password in the query string. Embedding the password in URLs risks exposure via browser history, server logs, proxy logs, or Referer headers. Prefer not to expose the service to the public internet; use SSH port forwarding, restrict firewall access, or modify the scripts to avoid placing the password in URLs.
3) Network exposure: The scripts open VNC, noVNC, and Chrome debug ports. Before running, confirm whether Chrome's remote-debugging binds to localhost only (safer) or to all interfaces. If these services are reachable externally, an attacker could access the remote browser and data. Run in a trusted, isolated environment (VM/container) or behind a firewall.
4) Least privilege: Run the scripts as a non-root user. Inspect the scripts before running to ensure no unexpected commands are present (the provided files look benign). If you will expose this on a LAN, consider adding authentication or TLS in front of noVNC/websockify.
5) Quick checks before install: manually verify presence of required binaries (which Xvfb x11vnc websockify chromium openssl), ensure /tmp file lifecycle suits your security posture, and consider editing the script to avoid including passwords in URLs.
If you want, I can: (a) list the exact commands the scripts will run to help auditing, (b) suggest a small patch to avoid embedding the password in the URL, or (c) produce a hardened checklist to run this safely (firewall rules, systemd unit, user permissions).
功能分析
Type: OpenClaw Skill
Name: remote-chrome
Version: 1.0.0
The skill bundle contains multiple shell injection vulnerabilities in 'start-remote-chrome.sh' and 'status-remote-chrome.sh' because command-line arguments (e.g., --vnc-port, --screen-size) are passed directly into shell commands without sanitization. While the tool's purpose of providing remote VNC access to Chrome is clearly documented and lacks evidence of intentional malice, these vulnerabilities could be exploited via prompt injection to achieve remote code execution on the host system.
能力评估
Purpose & Capability
The skill description and scripts align: they start/stop/status a Chrome instance via Xvfb, x11vnc, and noVNC. However the registry metadata lists no required binaries or environment variables, while the scripts clearly require Xvfb, x11vnc, websockify/noVNC, Chromium/Chrome, and openssl. That metadata omission is an incoherence (the skill will fail without system packages).
Instruction Scope
SKILL.md and the scripts are scoped to managing local services and querying the local Chrome debug endpoint. They read /proc to discover processes and store the generated VNC password in /tmp/remote-chrome-vnc-password.txt for status reporting. The scripts do not appear to contact remote endpoints for control, but the status/start scripts expose the VNC password in a web URL query parameter which can leak via logs or Referer headers.
Install Mechanism
This is an instruction-only skill with included shell scripts (no automated remote install). There is no installer that downloads and executes arbitrary code. The included installation guidance references official package managers and an official Google Chrome download URL; that is expected and lower risk than arbitrary remote downloads.
Credentials
The skill declares no required environment variables or credentials (which is accurate for API keys), but the scripts respect proxy environment variables and create a local VNC password file in /tmp. Storing the password in /tmp and embedding it in the web URL increases the chance of accidental exposure. No unrelated cloud credentials are requested (no over-broad secret access).
Persistence & Privilege
The skill does not request permanent agent-wide presence (always:false) and does not attempt to modify other skills or system-wide agent settings. It runs local processes and writes temporary files under /tmp, which is consistent with its purpose.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install remote-chrome - 安装完成后,直接呼叫该 Skill 的名称或使用
/remote-chrome触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release of remote-chrome skill.
- Launch, stop, restart, and check status of a remote Chrome browser service with Xvfb, x11vnc, and noVNC.
- Provides web-based (noVNC) and direct VNC access to a full Chrome GUI remotely.
- Start script auto-checks dependencies and provides install guidance.
- Includes flexible options: custom ports, screen resolution, proxy support, and verbose mode.
- Integration instructions provided for use with agent-browser skill.
元数据
常见问题
remote-chrome 是什么?
Launch, stop, restart, or check the status of a remote Chrome browser service using Xvfb, x11vnc, and noVNC. Use this whenever the user wants to start a head... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 266 次。
如何安装 remote-chrome?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install remote-chrome」即可一键安装,无需额外配置。
remote-chrome 是免费的吗?
是的,remote-chrome 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
remote-chrome 支持哪些平台?
remote-chrome 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 remote-chrome?
由 kelvinschen(@kelvinschen)开发并维护,当前版本 v1.0.0。
推荐 Skills