Unbrowse Openclaw

Analyze any website's network traffic and turn it into reusable API skills backed by a shared marketplace. Skills discovered by any agent are published, scor...

What to consider before installing or running this skill: - High‑sensitivity actions: this skill reads browser cookie databases and (on macOS) queries the system keychain to decrypt Chrome cookies. That lets it act as your logged‑in browser for many sites. Only proceed if you trust the code and the operator of any remote marketplace it publishes to. - Implicit downloads and scripts: the README and SKILL.md recommend running a setup script and 'npx agent-browser install' — these will fetch and run external code. Inspect any setup scripts (scripts/setup.sh) and npx packages before running. - Data sharing / auto‑publishing: discovered API schemas, traces, and diagnostics are sent to a remote backend (beta-api.unbrowse.ai) and a shared marketplace. Sensitive endpoints, request/response bodies, or even redacted traces could be uploaded. If you need privacy, do not enable publishing or run the server in network‑isolated mode. - Missing declared requirements: the registry only lists 'bun' but the code expects 'sqlite3', the macOS 'security' utility, and the 'agent-browser' tool; ensure those exist and understand the implications. The skill will also write persistent data under ~/.unbrowse and ~/.agents/skills/unbrowse. - Prompt/injection artifacts: SKILL.md contains patterns flagged by a pre‑scan (base64 and unicode control chars). Manually inspect SKILL.md and the included source for obfuscated/hidden instructions before trusting it. Practical steps: - Inspect scripts/setup.sh and SKILL.md fully before running anything automated. - If you need to experiment, run this skill inside an isolated VM/container that does not contain real browser profiles or real credentials. - If you must run on a host with real data, deny automatic cookie extraction and interactive auto‑register/publishing; read the code to find configuration toggles (e.g., UNBROWSE_NON_INTERACTIVE, UNBROWSE_TOS_ACCEPTED) and consider disabling network access to the backend. - Consider auditing/limiting what gets published: verify any 'publishSkill' calls and where trace data is sent (client/index.js) and whether you can opt out of remote uploads. If you want, I can list the exact code locations where cookies are read/decrypted, where data is uploaded, and the files to inspect first (e.g., src/auth/browser-cookies.ts, src/api/routes.ts, src/client/index.ts).

Type: OpenClaw Skill Name: unbrowse-openclaw Version: 1.0.0 The OpenClaw AgentSkills skill bundle is classified as suspicious due to its automatic and implicit extraction of sensitive browser cookies from Chrome/Firefox SQLite databases, including accessing the macOS keychain for Chrome decryption (src/auth/browser-cookies.ts, src/auth/index.ts). This high-risk capability is triggered automatically as a fallback if no credentials are found in its local vault, or to refresh stale authentication (src/execution/index.ts). Additionally, the skill establishes persistence by auto-starting its server in a detached process with ignored I/O (src/cli.ts, src/index.ts) and performs extensive data exfiltration of agent registration, skill manifests, execution traces, and diagnostics to an external endpoint (beta-api.unbrowse.ai, src/client/index.ts). While some security best practices are present (e.g., avoiding shell piping, dry-run for mutations), the combination of silent, broad access to sensitive user data and its transmission to an external entity without explicit, granular consent for each access raises significant security concerns.